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Abstract 



Uncertainty relations express the fundamental incompatibility of certain observables in 
quantum mechanics. Far from just being puzzling constraints on our ability to know the 
state of a quantum system, uncertainty relations are at the heart of why some classically 
impossible cryptographic primitives become possible when quantum communication is 
allowed. This thesis is concerned with strong notions of uncertainty relations and their 
applications in quantum information theory. 

One operational manifestation of such uncertainty relations is a purely quantum effect 
referred to as information locking. A locking scheme can be viewed as a cryptographic 
protocol in which a uniformly random n-bit message is encoded in a quantum system using 
a classical key of size much smaller than n. Without the key, no measurement of this 
quantum state can extract more than a negligible amount of information about the message, 
in which case the message is said to be "locked". Furthermore, knowing the key, it is 
possible to recover, that is "unlock", the message. We give new efficient constructions of 
bases satisfying strong uncertainty relations leading to the first explicit construction of an 
information locking scheme. We also give several other applications of our uncertainty 
relations both to cryptographic and communication tasks. 

In addition, we define objects called QC-extractors, that can be seen as strong 
uncertainty relations that hold against quantum adversaries. We provide several 
constructions of QC-extractors, and use them to prove the security of cryptographic 
protocols for two-party computations based on the sole assumption that the parties' storage 
device is limited in transmitting quantum information. In doing so, we resolve a central 
question in the so-called noisy-storage model by relating security to the quantum capacity 
of storage devices. 
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Resume 



Les relations d' incertitude expriment l'incompatibilite de certaines observables en 
mecanique quantique. Les relations d' incertitude sont utiles pour comprendre pourquoi 
certaines primitives cryptographiques impossibles dans le monde classique deviennent 
possibles avec de la communication quantique. Cette these etudie des notions fortes de 
relations d'incertitude et leurs applications a la theorie de l'information quantique. 

Une manifestation operationnelle de telles relations d'incertitude est un effet purement 
quantique appele verrouillage d' information. Un systeme de verrouillage peut etre considere 
comme un protocole cryptographique dans lequel un message aleatoire compose de n bits 
est encode dans un systeme quantique en utilisant une cle classique de taille beaucoup plus 
petite que n. Sans la cle, aucune mesure sur cet etat quantique ne peut extraire plus qu'une 
quantite negligeable d'information sur le message, auquel cas le message est "verrouille". 
Par ailleurs, connaissant la cle, il est possible de recuperer ou "deverrouiller" le message. 
Nous proposons de nouvelles constructions efficaces de bases verifiant de fortes relations 
d'incertitude conduisant a la premiere construction explicite d'un systeme de verrouillage. 
Nous exposons egalement plusieurs autres applications de nos relations d'incertitude a des 
taches cryptographiques et des taches de communication. 

Nous definissons egalement des objets appeles QC-extracteurs, qui peuvent etre 
considered comme de fortes relations d'incertitude qui tiennent contre des adversaires 
quantiques. Nous fournissons plusieurs constructions de QC-extracteurs, que nous utilisons 
pour prouver la securite de protocoles cryptographiques pour le calcul securise a deux 
joueurs en supposant uniquement que la memoire des joueurs soit limitee en ce qui concerne 
la transmission d'information quantique. Ce faisant, nous resolvons une question centrale 
dans le modele de memoire bruitee en mettant en relation la securite et la capacite quantique 
de la memoire. 
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Contents of the thesis 



This thesis is mainly based on two papers. The first one is joint work with Patrick Hayden 
and Pranab Sen [Fawzi et al. 201 1 1 and is presented in Chapters [3] and |4} The second paper 
is presented in Chapter [5] and is joint work with Mario Berta and Stephanie Wehner [Berta 
[etaLl|20T2l . 
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Notation 



Common 


log 


Binary logarithm. 


In 


Natural logarithm. 


R 


Real numbers. 


C 


Complex numbers. 


Aft 


Conjugate transpose of the matrix M. 


[n] 


Set {1, . . . ,n}. 


da 


Hamming distance d H (x, y) = {i : %i ^ yi}. 


w 


Hamming weight w(x) = {i : Xi ^ 0}. 




The distribution of a random variable X. 


Pr{£} 


Probability of the event E. 


E{X} 


Expectation of a random variable X. 




Expectation over y and fixed x. 


f°g 


Composition of the functions / and g. 


Spaces 


A,B,C,... 


Hilbert spaces associated with the systems A,B,C,... 


A~A! 


A' is a copy of A. 


d A 


Dimension of the space A. 


AB 


Tensor product A <g> B or composite system AB. 


C(A,B) 


Space of linear operators from A to B. 


C(A) 


C(A,A). 


Vectors 


|^)M0) A ,... 


Vectors belonging to A. 




Dual vectors in C(A, C). 


(V#> 


Inner product of the vectors \ip) and \<f>). 
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Operators 



S(A) 


Set of density operators on A. 


S<(A) 


Set of sub-normalized density operators on A. 


p A = p A ,ip A ,... 


Density operators on A. 


id A = id A 


Identity map on A or C(A). 


\\X\\i 


Trace norm of the operator X. 


\\xh 


Hilbert- Schmidt norm of the operator X. 


Distance measures for operators 


A(p,a) 


Trace distance between p and a. 


F( P , a) 


Fidelity between p and a. 


Hp, a) 


Generalized fidelity between p and a. 


P(p, e) 


Purified distance between p and a. 


Measures of information 


H(A) p 


von Neumann entropy of the density operator p A . 


H(A\B) P 


Conditional von Neumann entropy of p AB . 


I(A;B) P 


Mutual information of the density operator p AB . 


H min (A\B) p \ a 


Min-entropy of p AB relative to a B . 


H min (A\B) p 


Conditional min-entropy of p AB given B. 


H max (A\B)p 


Conditional max-entropy of p AB given B. 


H min(^|- B )p 


Smooth min-entropy of p AB given B. 


H max(^l^)/3 


Smooth max-entropy of p AB given B. 


h 2 (a\b) p1(T 


Collision entropy of p AB relative to a B . 


h 2 (e) 


Binary entropy h 2 (e) = —e log e — (1 — e) log(l — e). 



viii 



Chapter 1 
Introduction 



1.1 Quantum information science 

Even though Turing machines are abstract mathematical constructions, they are widely 
believed to capture a universal notion of computation in our physical world. This is 
reflected by the Church-Turing thesis, which states that any computation performed on a 
physical device can also be performed by a Turing machine. The main reason the Church- 
Turing thesis is believed is that all known models for (reasonable) physical computation 
mechanisms were shown to be simulatable by a Turing machine. In fact, the strong Church- 
Turing thesis states that any computation performed efficiently by some physical device can 
be computed efficiently by a Turing machine. 

Consider now the problem of information transmission through a physical channel. 
How to model such a channel? A natural answer is to associate for each possible input 
a probability distribution on the possible outputs of the channel. The randomness is 
used to model our ignorance or lack of control of some phenomena happening in the 
transmission. There is a feeling that a better understanding of the physical process can 
always be incorporated in the model by adjusting the probabilities assigned to each outcome. 
As for Turing machines, there is a belief that the most general way to model a physical 
information channel is using probability distributions. 

When taking into account quantum theory, these assumptions should be re-examined. 
According to quantum physics, the state of a physical system, e.g., a potential computing 
device, need not be represented by some string of characters written on a tape, but can 
potentially be a superposition of many strings. Like for waves, different parts of the 
system could interfere with each other. Could such a model define a different notion of 



computation? There is by now significant evidence that this might be the case. Shor 
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1.2. Conjugate coding 
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[ 1997[ showed that one could make use of wave-like properties in a quantum system to 
factor integers efficiently, a problem that is believed to be hard for classical computers. 
In addition, many other computational tasks seem to be much more natural and efficiently 
implementable for a quantum computer, in particular concerning the simulation of quantum 
mechanical systems |Feynman] 1982 1. For information transmission, imagine a channel 
that carries information using photon polarization, a property which is known to be best 
described by a quantum state. In this case, modelling the channel as a distribution over the 
outputs for each possible input is incomplete. In fact, it turns out that one can use quantum 
mechanical properties not only to increase the rate at which information is transmitted but 
also to perform tasks that are simply impossible using only "classical" communication. 



1.2 Conjugate coding 

An example of a task that becomes possible when quantum properties are used is key 
distribution. Suppose Alice and Bob are far apart and they want to exchange a secret over 
email. To achieve unconditional security^ it is well-known that they have to share a large 
private key about which the adversary does not have any information. How can they obtain 
such a key by communicating over a public channel? This task is impossible to achieve with 
unconditional security using only classical communication. 

In groundbreaking work, Bennett and Brassard [ 1984 1 based on an idea of [Wiesner 



1 1983 1 devised a simple protocol for key distribution using quantum communication^] One 



of the key ideas of the protocol is to use "conjugate coding" JWiesner 1983 1. Even though it 



cannot store (reliably) more than one bit of information, there are several ways of encoding 
one bit in the polarization of a photon. We can encode in the "rectilinear" basis, e.g., i— >• H 
(horizontal) and 1 i-y V (vertical), or in the "diagonal" basis, e.g., h> M (main diagonal) 
and 1 i— > A (anti-diagonal). This is a valid encoding because in both cases, the states 
corresponding to and 1 are perfectly distinguishable. However, an observer that does not 
know which one of the two encodings was used cannot recover the encoded bit perfectly. In 
fact, if he performs a measurement in the rectilinear basis and the actual state was M (which 
belongs to the diagonal basis and encodes 0), then the result will be H (corresponding to 0) 
with probability 1/2 and V (corresponding to 1) with probability 1/2. 

We stress that this type of encoding in the polarization of a single photon does not have a 



'Unconditional security means that security doesn't rest on unproven computational assumptions. 
2 Note that this protocol can be and is implemented with today's technology. In fact, encryptors based on 
quantum key distribution can actually be bought from a handful of companies. 



3 



classical analogue. Assume we have two perfectly distinguishable classical states A and B. 
One can define two possible encodings for bits: A and 1 i— > B, or i— > B and 1 i — >- A. 
An adversary who ignores which encoding was used cannot obtain any information about 
the encoded bit by seeing A or B. But given that we see A, we know that the encoded bit 
is if the first encoding was chosen and it is 1 if the second encoding was chosen. For the 
quantum encoding described above, for all possible states H, V, M or A, it is not possible 
to have a definite encoded value for both the rectilinear and diagonal bases. This is a form 
of the uncertainty principle: either the "rectilinear value" or the "diagonal value" of a state 
has to be undetermined. This idea of encoding in conjugate bases is at the heart of the 
whole field of quantum cryptography that takes advantage of the uncertainty principle and 
related ideas to guarantee privacy properties; see |Gisin et al. 2002 , Scarani et al.[ 2009J for 
surveys. The results in this thesis can be seen as stronger versions of conjugate coding that 
use multiple (more than two) encodings. 

The following more technical sections describe the context and the main results in this 
thesis. 



1.3 Uncertainty relations for quantum measurements 



1.3.1 Context 



The uncertainty principle was first formulated by Heisenberg [ 1927 1 and it states that 
the position and momentum of a particle cannot both have definite values. It was then 
generalized by Robertson [ 1929) to arbitrary observables that do not commute. Here, 
we consider modern formulations of the uncertainty principle for which the measure of 
uncertainty is an entropic quantity. Entropic uncertainty relations were introduced in 
Bialynicki-Birula and Mycielski| [ |1975[ , |Deutsch| [ |1983[ , [Hirschman] [ |1957[ | and have found 
many applications in quantum information theory. For example, such relations are the 
main ingredients in the proofs of security of protocols for two-party computations in the 



bounded and noisy quantum storage models [Damgard et al. 2005, 2007, Konig et al. 



2012 1 . A simple example of an entropic uncertainty relation was given by Maassen and 
Uffink [ 1988 1. Let B + denote a "rectilinear" or computational basis of C 2 and B x be a 



"diagonal" or Hadamard basis and let B + n and B x n be the corresponding bases obtained 
on the tensor product space (C 2 )®". All vectors in the rectilinear basis B + n have an inner 
product with all vectors in the diagonal basis B x n upper bounded by 2~ n / 2 in absolute value. 



The uncertainty relation of Maassen and Uffink [ 1988 1 states that for any quantum state on 



1.3. Uncertainty relations for quantum measurements 
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n qubits described by a unit vector \ip) G (C 2 ) m , the average measurement entropy satisfies 



L Ti 

- (H(p s+n#) ) +H(p BxniW )) > 



2' 



(1.1) 



where denotes the outcome probability distribution when |^) is measured in basis B 
and H denotes the Shannon entropy. Equation ( |1.1[ ) expresses the fact that the outcome 
of at least one of two measurements cannot be well predicted, even after knowing which 
measurement was performed. 

A surprising application of entropic uncertainty relations is the effect known as 
information locking [ |DiVincenzo et al.[[2004[ (see also |Leung~] [ |2009[ ) . Suppose Alice holds 
a uniformly distributed random n-bit string X. She chooses a random basis K E u {+ n , x n } 
and encodes X in the basis Bk- This random quantum state £(X, K) is then given to Bob. 
How much information about X can Bob, who does not know K, extract from this quantum 
system via a measurement? To better appreciate the quantum case, observe that if X were 
encoded in a classical state £ C (X, K), then £ C (X, K) would "hide" at most one bit about 
X; more precisely, the mutual information between X and £ C (X, K) is at least n — 1. 
For the quantum encoding £, one can show that for any measurement that Bob applies on 
£(X, K) whose outcome is denoted /, the mutual information between X and / is at most 



n/2 [DiVincenzo et al. 2004[ . The n/2 missing bits of information about X are said to be 
locked in the quantum state £(X, K). If Bob had access to K, then X can be easily obtained 
from £(X, K): The one-bit key K can be used to unlock n/2 bits about X. 

A natural question is whether it is possible to lock more than n/2 bits in this way. 
In order to achieve this, the key K has to be chosen from a larger set. In terms of 
uncertainty relations, this means that we need to consider t > 2 bases to achieve an average 
measurement entropy larger than n/2 (equation ( |1.1| >). In this case, the natural candidate is 
a set of t mutually unbiased bases, the defining property of which is a small inner product 



between any pair of vectors in different bases. Surprisingly, it was shown by [Ballester and 
Wehner [2007 1 and Ambainis [2010 1 that there are up to t = 2 n l 2 mutually unbiased bases 



{£>i, £> 2 , . . . , B t } that only satisfy an average measurement entropy of n/2, which is only as 
good as what can be achieved with two measurements ( |1.1[ ). In other words, looking at the 
pairwise inner product between vectors in different bases is not enough to obtain uncertainty 
relations stronger than ( |1.1[ ). 

To achieve an average measurement entropy of (1 — e)n for small e while keeping the 
number of bases subexponential in n, the only known constructions are probabilistic and 
computationally inefficient [ |Hayden et al.[ 2004 1. 
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1.3.2 Summary of the contributions 

Chapter [3] We introduce the notion of a metric uncertainty relation and connect it to 
low-distortion embeddings of £ 2 into l\. A metric uncertainty relation also implies an 
entropic uncertainty relation. We prove that random bases satisfy uncertainty relations 
with a stronger definition and better parameters than previously known. Our proof is also 
considerably simpler than earlier proofs. We give efficient constructions of bases satisfying 
metric uncertainty relations. The bases are computable by quantum circuits of almost linear 
size. These constructions are obtained by adapting an explicit norm embedding due to Indyk 
[ 2007| | and an extractor construction of |Guruswami et al7| [|2009 1 . 



Chapter [4] We prove that any metric uncertainty relation leads to a locking scheme. 
Applying the results of Chapter [3} we show the existence of locking schemes with key size 
independent of the message length. Moreover, using the efficient constructions, we give the 
first explicit strong information locking scheme. Moreover, we present a locking scheme 
that can in principle be implemented with current technology. We use our locking schemes 
to construct hiding fingerprints as defined by |Gavinsky and Ito] pO 1 1 . 



We also apply our metric uncertainty relations to exhibit communication protocols that 
perform equality testing of n-qubit states. We prove that this task can be performed by a 
single message protocol using 0(log(l/e)) qubits and n bits of communication, where e 
is an error parameter. We also give a single message protocol that uses 0(log 2 n) qubits, 
where the computation of the sender is efficient. 



1.4 Uncertainty relations in the presence of quantum side 
information 

1.4.1 Context 

Suppose that we are now looking for a stronger notion of uncertainty. We want the outcome 
to be unpredictable even if the adversary, who is trying to predict the outcome of the 
measurement, holds a system that is entangled with the system being measured. Let Alice 
hold a system A and Eve hold E, and the two systems are maximally entangled. How 
well can Eve predict the outcome of measurements in bases {B 1 , . . . , B t }7 It turns out that 
because Alice and Eve are maximally entangled, Eve can perfectly predict the outcome that 
Alice obtains. In this case, there is no uncertainty at all from the point of view of Eve. The 
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interesting question is then: Can we obtain some uncertainty if Eve holds some quantum 
side information about the system A but is not maximally entangled with it? The amount 
of uncertainty in the measurement outcomes should then be a function of some quantum 
correlation measure between Alice and Eve. We should note here that unlike classical side 
information which can usually be handled easily, quantum side information can behave 
in unexpected ways; see for example the work on randomness extractors against quantum 
adversaries [ |Gavinsky et al.[|2007[|Konig et al.[|2005||Renner and Konig[ [2005 [ . In beautiful 
recent work, |Renes and Boileaul 02009] and |Berta et al.| pOlOj showed that in fact one can 
extend the uncertainty relation in equation ( |1.1[ ) to allow for quantum side information. 
Related uncertainty relations that hold in the presence of quantum memory have proven to 



be a very useful tool in security proofs for quantum key distribution [ |Furrer et al.[ |2011 
Toma michel and Re nner[ [201 ![ , [Tomamichel et al.\ |20 1 2] . 



But as in the previous section, just two measurements are in many cases not sufficient to 
obtain the desired amount of uncertainty. Before this work, uncertainty relations that hold 
when the adversary has a quantum memory were known only for two measurements. 



1.4.2 Summary of contributions 

Chapter [5] We introduce QC-extractors by analogy to classical randomness extractors, 
which are objects that found many applications in theoretical computer science, and relate 
them to uncertainty relations with quantum side information. Using techniques similar to 
the ones used for proving decoupling results, we give several constructions of QC-extractors 
based on unitary two-designs, complete sets of mutually unbiased bases and single-qudit 
unitaries. These naturally lead to uncertainty relations in terms of the min-entropy and 
in terms of the von Neumann entropy. This gives the first uncertainty relations in the 
presence of quantum side information for more than two measurements. Moreover, we 
use the uncertainty relation for single-qubit measurements to finally link the security of 
two-party secure function evaluation to the ability of the parties' storage device to store 



quantum information [ fWehner et al.[ |2008| . Previously, the security could only be shown 
when the classical capacity pConig et~aL| |2012[ or entanglement cost [ |Berta et aL||2011a | 
of the storage device was limited. 



Chapter 2 
Preliminaries 



The objective of this chapter is to introduce some notations and results that will be used 
throughout this thesis. We start with a very brief section about classical information theory 
before moving to the description of quantum systems. 



2.1 Classical information theory 

Random variables are usually denoted by capital letters X, K, . . . , while px denotes the 
distribution of X, i.e., Pr {X = x} = p x (x). The notation X ~ p means that X 
has distribution p. unif(5) is the uniform distribution on the set S. To measure the 
distance between probability distributions on a finite set X, we use the total variation 
distance or trace distance A(p,q) = \^2i xeX \p( x ) ~ Q( x )\- We also have A(p,q) = 

We will also write A(X,Y) for A(p x ,py)- When A(X,Y) < e, we say that 
X is e-close to Y. A useful characterization of the trace distance is A(p,q) = 



maxx~ p ,y~g Pr {X = Y} (this equality is sometimes attributed to Doeblin [ 1938 1). 
Another useful measure of closeness between distributions is the fidelity F(p, q) = 
Ylix^x V / p(- e )^( x ) a ^ so know 11 as the Bhattacharyya distance and related to the Hellinger 
distance. We have the following relation between the fidelity and the trace distance: 



l-F{p,q)<A{p,q) < ^1-F(p,q) 2 . (2.1) 

The Shannon entropy of a distribution p on X is defined as H(p) = — ^ x< z X p{x) \ogp(x) 
where the log is taken here and throughout the thesis to be base two. We will also write 
H(X) for H(p x ). The conditional entropy is defined by H(X\Y) = U(XY) - H(Y). It 
also has the property that H(X|Y) = E y {H(X\Y = y)}. The mutual information between 
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two random variables X and Y is defined as I(X; Y) = H(X) + H(Y) - H(X, Y). The 
min-entropy of a distribution p is defined as H min (j>) = — logmaXa,p(x). We say that a 
random variable X is a /c-source if H min (X) > fc. 



2.2 Representation of physical systems 



We briefly describe the notation and the basic facts about quantum theory that will be used 
in this thesis. We refer the reader to |Nielsen and Chuang] [ |2000[ , |Wilde| [ |2011[ for more 
details. 



2.2.1 Quantum states 

The state of a (pure) quantum system is represented by a unit vector in a Hilbert space. 
For the purpose of this thesis, a Hilbert space is a finite-dimensional complex inner product 
space. Quantum systems are denoted A,B,C... and are identified with their corresponding 
Hilbert spaces. The dimension of A is denoted cLa- It is important to note that all unit 
vectors represent valid physical states and for any two different vectors^] one can perform 
an experiment for which the two states have a different observable behaviour. Vectors in A 
are denoted by "kets" \ip) A G A and dual vectors (i.e., linear functions from A to C) are 
denoted by "bras" (<f>\, so that (</>] = (4>\ip) is simply the inner product between the 
vectors \<p) and \tp). Performing the product in the other direction {(j>\, we obtain a linear 
transformation mapping A to itself. In particular, \ip)(ip\ is the orthogonal projector onto the 
span of \ip). If we fix a basis of the Hilbert space, then we can represent as a column 
vector v and the dual vector (ip | can be represented by v*, where represents the conjugate 
transpose of the matrix M. In this thesis, every Hilbert space A comes with a preferred 
orfhonormal basis {|a)} ae u A j that we call the computational basis. The elements of this 

def 

basis are labeled by integers in [d^] = {1, ■ • • , <Ia}- Often, the Hilbert spaces we consider 
are composed of n qubits, i.e., have the form (C 2 )® n . In this case, the computational basis 
will also be labeled by strings in {0, l} n . 

In order to model our ignorance of the description of a quantum system, we can consider 
distributions {pi, . . . ,p r } over quantum states . . . ,\ijj r }}. It is well known that such 

a distribution over states is best described by a density operator p = X][=iP«lV ; j)(V ; j| acting 
on A. We denote by C(A, B) the set of linear transformations from A to B and we write 

'Technically, quantum states are actually rays rather than unit vectors in the Hilbert space, so two vectors 
that only differ by a global phase represent the same state. 
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C(A) for C(A,A). Observe that a density operator is a Hermitian positive semidefinite 
operator with unit trace. Conversely, any unit trace Hermitian operator p with non-negative 
eigenvalues is a valid density operator. If we write p A = X^Pil^iX^I where f° rm 
an orthonormal eigenbasis for p, we can interpret the state of A as being \ipi) with probability 
Pi. In particular, the density operator associated with a pure state is \ip){4>\ and it will 

def 

be abbreviated by omitting the ket and bra: ip = \4>){4>\. We use S(A) to denote the set of 
density operators acting on A. The Hilbert space on which a density operator p e S(A) acts 
is sometimes denoted by a superscript or subscript, as in p A or p A . This notation is also used 
for pure states \%jj) A e A. 

In order to describe the joint state of a system AB, the associated state space is the 
tensor product Hilbert space A <g> B, which is sometimes simply denoted AB. If p AB 
describes the joint state on AB, the state on the system A is described by the partial trace 
p A = tr B p AB . The partial trace tr B : C(A <g> B) ->■ C{A) is defined as ti B [p AB ] = 
J2 b (idyi <8> (b\) p AB (idyi <8> |&)), where {| b)} is an orthonormal basis of B. 

A classical system can easily be described using this formalism. A distribution {p^} over 
[d] is represented by p = ^2 ie ut Pi\i){i\- A state on XB is said to be classical on X if there 
exists a basis {\x)} of X and a set of (non-normalized) operators p x on £? such that 



2.2.2 Evolution of quantum systems 

The operations that change the state of a closed quantum system A are unitary 
transformations on A. Recall that U G C(A) is unitary if UW = Wll = id. After 
applying such a transformation, the state of system A evolves from p to UpW. We can 
also consider a system AB and act by a unitary on A to obtain the state UaPabU\ = 
(U® \&b)pab{U® id B ) f . 

Another important class of quantum operations are measurements. The most general 
way to obtain classical information from a quantum state is by performing a measurement. 
A measurement is described by a positive operator- valued measure (POVM), which is a set 
{Pi, ... ,P S } of positive semidefinite operators that sum to the identity. If the state of the 
quantum system is represented by the density operator p, the probability of observing the 
outcome labeled % is tr[Pjp] for alH e {1, . . . , s}. Whenever {Pi} are orthogonal projectors, 
we say that {Pi} is a projective measurement. A simple class of measurements that will be 
extensively used in this thesis are measurements in a basis B. The measurement in the 
basis B = {lej}}^^] is defined by the POVM described by the operators {\ei)(ei\}ie[d A } 




(2.2) 



X 
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so that we obtain outcome i with probability tr[|ej)(ej|p] = (ej|p|ej) whenever the state of 
the system is p. In particular, if the measurement is in the computational basis, we use the 
special notation p p (a) = tr[\a)(a\p], andp|^)(a) = |(a|^)| 2 whenever the state p = \ipyip\ 
is pure. 

More generally, we can represent the evolution of any quantum system by a completely 
positive trace preserving (CPTP) map Sa^c- A map is called positive if for any positive 
operator p, 8{p) is also positive. It is called completely positive if for any quantum system 
B, the map S ® id B '■ C(A <g) B) — > C(C <g> B) is positive. Because this is the most general 
kind of quantum operation, a CPTP map is also called a quantum channel. 

We can view a measurement as a quantum channel that maps a quantum system to a 
classical one. In particular, the map that performs a measurement in the computational basis 
can be written as: 

ML) J2(a\(-)\a)\a)(a\ , (2.3) 

a 

where {|a}} is the computational basis of A. Note that we renamed the system X to 
emphasize that it is a classical system. We will also use extensively in Chapter [5] the map 

T(.)a^a 1 = ^(aiCt2|(-)l a i a 2)|aiXai| , (2.4) 

ai£J2 

where {|a2)} are the computational bases of A\, A 2 respectively. A small calculation 

readily reveals that this map can be understood as tracing out A 2 , and then measuring the 
remaining system Ai in the basis {|cti)}. Note that the outcome of the measurement map is 
classical in the basis { | ai) } on A x . 



2.2.3 Distance measures 



We will employ two well known distance measures between quantum states. The first is 



. For p,a e S(A), 



the distance induced by the £i-norm defined by ||M||i = tr 
||p — er ||i is the sum of the absolute values of the eigenvalues of p — a. As in the classical 
case, one half of the £i-norm of a difference of two density operators, also known as the 
trace distance A(p, a) — \ ■ ||p — cr||i, is related to the success probability of distinguishing 



two states p and a given with a priori equal probability [Helstrom, 1967 1: 



A{p,a) 



max tr|A(p — a)]. 

0<A<id L v /J 



(2.5) 



The second distance measure we use is the purified distance. To define it, we first define the 
fidelity between two states p, a E <S(A) by F(p, a) = Wy/py/^Wi- Note that if p = 
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is pure, then F(p, a) — y (ip\a\ip). Another useful characterization of the fidelity is with 
Uhlmann's theorem. Before stating the theorem, we need to define the important notion of 
a purification. A purification of a density operator p £ S(A) is a pure state |p) £ AR such 
that tin[p AR ] = p A . Such a purification always exists, for example one can choose R to be 
a copy of A and \p) = £\ A /Pi|^j) j4 |V'i) i? , where is an eigenbasis for p A . 



Theorem 2.2.1 (Uhlmann's theorem [Uhlmann 1976 1). Let p,a £ 5(A) and to |p) AR a«d 

\a) AR be purifications of p and o. Then we have 



F(p,a) 



max 

u 



U 1 



id A \a) 



See e.g., ]Wilde[ 2011 Theorem 9.2.1] for a proof. We will also need the concept of 
generalized fidelity between two possibly sub-normalized positive operators p, a, which can 
be defined as QTomamichel et al.l|2010] , 

F(p, a) = F(p, a) + - tr[p]) (1 - tr[a]). 

Note that if at least one of the states is normalized, then the generalized fidelity is the 
same as the fidelity, i.e., F(p,a) = F(p,a). The purified distance between two possibly 
subnormalized states p, a is then defined as: 



P(P, <t) 



1-F{p,a) 2 



(2.6) 



and is a metric on the set of sub-normalized states [Tomamichel, 2012 Tomamichel et al 



2010]. 



Observe that for pure states a/1 — F(\p)(p\, \<j}(<j\) 2 = ||||p)(p| — |cr)(cr|||i. Hence, by 
Uhlmann's theorem, we can think of the purified distance between two normalized states 
as the minimal trace distance between any two purifications of the states p and a. The 
purified distance is indeed closely related to the trace distance, as for any two states p, a we 
have QFuchs and van de Graafj |1999[ |Tom amiche l et al.j |2010[ : 

' ~ (2.7) 



\p ~ < P{p,o) < V 2 IIP - °"lll • 

It is furthermore easy to see that for normalized states the factor 2 on the right hand side can 
be improved to 1. 

For any distance measure, we can define an e-ball of states around p as the states at a 
distance of at most e from p. For the purified distance, we write 



B £ {p A ) = Wa e S<(A) I P(pa^a) < e} 
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where S<(A) is the set of positive operators on A with trace at most 1. 

All the distances we introduced have the property that they cannot increase by applying 
a completely positive trace preserving map T : S(A) — > S(C). For any p, a E S<(A), we 
have 

P(p,a)>P(F(p),F(a)), (2.8) 

and 

\\p - ct\\x > \\T(p) - T(a)\U. (2.9) 
2.2.4 Information measures 

The von Neumann entropy of p E S (A) is defined as H(A) p = — tr [p log p] . Note that for 
a classical state px this is simply the Shannon entropy defined earlier. The conditional von 
Neumann entropy of A given B for pab E S(AB) is defined as 

H(A\B) p = H(AB) p -H(B) p . 

There is an important difference with the classical case: H(A\B) p can be negative when the 
state p is entangled between A and B. The conditional min-entropy of a state pab £ S(AB) 
defined as^ 

(A\B) P = max H min {A\B) p \ a , (2.10) 

<T B eS(B) 

with 

H min (A\B) pl(7 = max {\ER: p A B< 2" A ■ id A g> (Xb} . 

For the special case where I? is trivial, we obtain H min (A) p = — log H/ulloo* where ||p||oo 
denotes the largest singular value of p. For the case where we are conditioning on classical 
side information, we can write the conditional min-entropy as: 

H min (X\QJ) = -\ogE j {2- H ^W^=i)} . (2.11) 



The min-entropy is known to have interesting operational interpretations [Konig et al. 



2009). If A is classical, then the min-entropy can be expressed as 

H min (A\B) p = - log P guess (A\B), (2.12) 

where P guess (A\B) is the average probability of guessing the classical symbol A = a 
maximized over all possible measurements on B. If A is quantum, then H min (A\B) p is 



2 We write max instead of sup as we work with finite dimensional Hilbert spaces. 
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directly related to the maximal singlet fraction achievable by performing an operation on B: 

H min {A\B) p = - log \A\ max F(<S> AA ,, (id A g> A){pab)) , (2.13) 

A B-^A> 

where = J2 a a'e[\A\] \ aa )( a ' a '\ is a maximally entangled state. 

As the information theoretic tasks we wish to study usually allow for some error e > 0, 
the relevant entropy measures are often smoothed entropies. For the conditional min-entropy 
this takes the form 

W min (A\B) p = max H min (A\B) p . (2.14) 

P~AB<^&{PAb) 

More technical properties of entropic quantities 

In this section, we state some additional entropic quantities that will be needed for some 
proofs. 

It will sometimes be more convenient to work with a version of the min-entropy in 
which instead of maximizing over all states ob on B, we simply take ob = Pb- The 
reason the standard definition of the conditional min-entropy involves a maximization as 



in equation ( |2.10[ ) is to obtain the nice operational interpretation presented above. In 
particular, if the systems A and B are classical taking discrete values {a} and {b}, then 
H min (A\B) p \ p = — logmax Qi b(a6|p|a6), which is in general different from equation ( |2.11[ ). 
The smoothed version of this alternative definition becomes 

H mm( A \ B )p\ P = max H min (A\B)p\p . 

PAB&B e {pAB) 



Tomamichel et al. [2011 1 showed that the smoothed versions of the two different definitions 



cannot be too far apart from each other. 



Lemma 2.2.2 ([ |Tomamichel et aLj |2011[ Lemma 18]). Let e' > 0, e' > 0, and p A B € 

S(AB). Then 

Hl in (A\B) p - log + ^--) < W+i(A\B) plp < W±i{A\B) p . 
The max-entropy is defined by 



H max (A| J B) p = max log F(p AB , id A <g> a B ) 2 , (2.15) 

a B &S(B) 



and its smooth version 



HLx(i4|fl),= _ min H max (A\B) p . (2.16) 

PAB&B f {p A B) 
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The following lemma shows that the conditional min- and max-entropies are dual to one 
another. 



Lemma 2.2.3 (Tomamichel et al. [2010|). Let p AB £ S(AB), e > 0, and Pabc be an 

arbitrary purification of pab- Then 

Finally, the quantum conditional collision entropy, which is closely related to the min- 
entropy, will be used in the proofs in Chapter]?] For a state pab £ S(AB) relative to a state 
ob £ <S(B), it is defined as 



1 2 

H 2 {A\B) pW = -logtr {id A ® a B 1/4 )p A B{id A ® <r B 1/4 ) 



(2.17) 



where the inverses are generalized inverses. For M £ C(A), M _1 is a generalized inverse 
of M if MM' 1 = M~ X M = U s , where U s denotes the projector onto the support of M. 
In particular, if M = Y^i a i\ v i){ v i\ an d me vectors \ v i) are orthogonal with unit norm, then 

^"^E^o^kX^I- 

The following lemma relates the collision and the min-entropy. 

Lemma 2.2.4. Let pab £ S<(AB) and a B £ S(B) with supp(pAe) Q <8> supp(crs), 
where supp(.) denotes the support. Then 

U mill (A\B) p]a < H 2 (A\B) pW . 



Proof We have supp(pAe) Q ® supp(p B ) and hence by [Berta et al. 2011b Lemma 
B.2] 



H m ; n (A\B) pW 



log max tr 

u> AB eS(AB) 



uab ( id^ <8> cr B 1/2 ) pab (id A ®cr 



,-V2 



where the inverses are generalized inverses. But for pab = d^Ti e S(AB) we have, 



H 2 (A\B) p \ a = - log tr pab [idA ® o" B 1/2 J Pas ( id^ <g) cr B 

= - logtr [p AB ] - logtr pab (id A <S> Pab (id a <S> cr B 1/2 



-1/2 



> — log max tr 

luab^S(AB) 
= H min (y4|i?) p | (T . 



uab ( idA ® crij 1/2 ) Pab ( id^ <S> o B 



-1/2 
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□ 



We finish with three diverse lemmas that will be used several times. First the Alicki- 
Fannes inequality states that two states that are close in trace distance have von Neumann 
entropies that are close. 



Lemma 2.2.5 (Alicki and Fannes [2003 1). For any states p AB and a AB such that \\p AB — 
c ||i — e with e < 1/2, we have 



where ho(e) 



\H(A\B) P - K(A\B) a \ < Ae\ogd A + 2h 2 (e) , 
-eloge — (1 — e) log(l — e) is the binary entropy function. 



For a reference, see [ Wilde] [20TTJ Theorem 1 1 .9.4] . Note that such a statement is not true 
of the min- and max-entropies, and it is for this reason that it is useful to define smoothed 
versions. 

The next lemma says that if you discard a classical system, the min-entropy can only 
decrease. 



Lemma 2.2.6 ( ]Berta et aLj|2011c[ Lemma C.5]). Let p AXB € S(AXB), e > 0, with X 
classical. Then 

W min (AX\B) p > W miQ (A\B) p . 

The last lemma we present here states that for states of the form p® 71 , the smooth min- 
entropy converges to the von Neumann entropy when the number of copies n grows. This is 
called the asymptotic equipartition property (AEP) for the smooth conditional min-entropy. 



Lemma 2.2.7 ([ |Tomamichel et al.[ |2009[ Remark 10]). Let p A B e S(AB), e > 0, and 
n > 2 (1 - e 2 ). Then, 



! VI -2 log e (2 + 

- H min(^l 5 )p®"|p®" > H{A\B) p -= 



log 1-41 
2 



For a more detailed discussion of smooth entropies we refer to Renner [2008], 



Tomamichel [2012 1. 



2.3 Quantum computation 

The most widely used model for quantum computation is the quantum circuit model. Let 
U be a unitary acting on an n-qubit space. The objective is to implement U with a small 
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number of fixed gates. The main measure of efficiency is then the size of the circuit, which 
is the number of elementary gates that are used to perform the unitary. We say that a circuit 
is efficient if the size of the circuit is polynomial in n. 

There are many standard choices of sets of one and two-qubit gates that allow the 
approximation of all unitary transformations on n qubits. This choice is not important 
here. The properties of quantum circuits we use here are the following. The Hadamard 
single-qubit gate defined by 



extended to a quantum circuit with the same size that acts on the computational basis 
elements in the same way as the classical circuit. 




is part of our elementary gates. And any reversible classical circuit on n bits can be directly 



Chapter 3 

Uncertainty relations for quantum 
measurements: Definition and 
constructions 



Outline of the chapter In this chapter, we start by introducing uncertainty relations and 
setting up some notation (Section 3.1). Then, we define metric uncertainty relations in 
Section 3.2 In Section 3.3[ we prove the existence of strong metric uncertainty relations. 



Explicit constructions are given in Section 3.4 



3.1 Background 



In quantum mechanics, an uncertainty relation is a statement about the relationship between 
measurements (or observables)[j] Heisenberg's uncertainty principle [Heisenberg 1927| is 
one of the cornerstones of quantum mechanics. It states that the position and the momentum 
of a quantum particle cannot both have definite values. The uncertainty principle is a feature 
of quantum theory that makes it different from classical physics: having both a localized 
position and momentum is not a valid state according to quantum theory. 

Heisenberg's uncertainty relation was generalized in several ways. The most common 



way of presenting the uncertainty principle today is due to Robertson [ 1929 1. It gives a lower 
bound on the product of the variances of two observables as a function of their commutator, 



which quantifies how compatible the two observables are. Later, Hirschman 1 1957 1 and 



'in physics language, it probably makes more sense to use the word observable rather than measurement, 
but as we have not given a mathematical definition of an observable, we mostly use the word measurement. 
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Bialynicki-Birula and Mycielski [ 1975 1 gave a formulation of an uncertainty relation in 
terms of the entropy of the measurement outcomes. Deutsch [ 1983[ pointed out that using 
an entropy instead of the variance is a more desirable way of expressing uncertainty. He 
proved that for any state \ip), we have ~H{p Bl ,[4>)) + H(pb 2) |^,)) > —2 log ^ 1+c ^ 1,g2 ^ where 
c(£>i,£> 2 ) = r nax|6 1 ) 6 B li [b 2 ) e B 2 |(&i|&2)| and B\ and B 2 are bases of the ambient Hilbert space. 
PBM) denotes the outcome distribution when performing a measurement in B on the state 
\ip) and H denotes the Shannon entropy. This uncertainty relation was later improved by 



Maassen and Uffink [ 1988 ] who showed that for all 



(H(p. 



H(p Ba , w )) >- log c(B u B 2 ) 



(3.1) 



Observe that by using the properties of the Shannon entropy, we can rewrite equation ( ]3. 1 [ ) 
as H(X\K) > — logc(Si, B 2 ), where K is uniformly distributed on {1,2} and X is the 
outcome of a measurement in the computational basis for the state Uk\^)- This says that 
even given the measurement K that was performed, there is some uncertainty about the 
outcome. If B\ and B 2 are mutually unbiased, i.e., c(Bi,B 2 ) < 2 -n / 2 where 2" is the 
dimension of the ambient Hilbert space, we obtain a lower bound of | on the average 
measurement entropy. It is easy to see that such a lower bound cannot be improved: For any 
bases B\, B 2 , one can always choose a state |-0i) that is aligned with one of the vectors of B\ 
so that H(p Bli [^)) = 0, in which case | (H(p Blt |^,)) + H(p B2 ^)) < §. More generally 
when considering t basis, the best lower bound on the average measurement entropy one 
can hope for is (1 — l/t)n. 

For many applications, an average measurement entropy of | is not good enough. In 
this chapter, we want to find bases for which the average measurement entropy is larger 
than | and close to the maximal value of n. As mentioned earlier, in order to achieve this, 
one has to consider a larger set of measurements. In this case, the natural candidate is a 
set of t mutually unbiased bases, the defining property of which is a small inner product 
between any pair of vectors in different bases, more precisely c(B u B 3 ) < 2~ n / 2 for all 
i 7^ j. For 2 n + 1 measurements, |Ivanovic| fll9"92] l, |Larsenl ]1990[ |, |Sanchez| [ |1993[ showed 
for t = 2™ + 1 mutually unbiased bases, the average entropy is at least log(2 n + 1) — 1, which 
is close to the best possible. In fact, their result is stronger: it even holds for the collision 
entropy (Renyi entropy of order 2), which is in general smaller than the Shannon entropy. 
For 2 < t < 2™ + 1, the behaviour of mutually unbiased bases is not well understood. 
The best general bound for an incomplete set of mutually unbiased bases was proved by 
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Damgard et al.| [12004 1 and |Azarchs| p004 1 : 



1 - / 
^5J H ^.I^)) - n + lo § ( 

k=l ^ 



2 n + t-\ 



(3.2) 



Observe that this bound is not useful for t < 2™/ 2 , because in this case the term 
log(t/ (2 n + t — 1)) < — n/2, which makes ( |3.2| ) at best as good as the uncertainty relation 
for two measurements in equation (|3 . 1 [) . Equation (|3.2[) is known to also known to hold for 



the collision entropy. A similar bound for the min-entropy was also proved in [ jSchaffner 
ollary 4.19]. Surprisingly, i 
[EoTbl that there are up to t 



2007 [ Corollary 4.19]. Surprisingly, it was shown by Ballester and Wehner [ 2007 1 and 

2 n mutually unbiased bases {B\, B 2 , ■ ■ . , B t } 



Ambainis 



that only satisfy an average measurement entropy of ^, which is only as good as what can be 



achieved with two measurements ( |3.1| ). In other words, looking at the pairwise inner product 
between vectors in different bases is not enough to obtain uncertainty relations stronger than 
p.l[ ). To achieve an average measurement entropy of (1 — e)n for small e while keeping 
the number of bases subexponential in n, the only known constructions are probabilistic and 
computationally inefficient. Hayden et al. ]2004[ prove that random bases satisfy entropic 
uncertainty relations of the form ( |3.1| ) with n 4 measurements with an average measurement 
entropy of n — 3. 

Brief word on applications of uncertainty relations Other than being one of the 
defining features of quantum mechanics, uncertainty relations have many applications 
particularly to proving the security of quantum cryptographic protocols. As an example, 
probably the simplest and most elegant proof of security for quantum key distribution known 



to date is based on a recently discovered uncertainty relation [Tomamichel and Renner 



2011 1. Moreover, the proofs of the security of bit commitment and oblivious transfer in 



the bounded storage model are based on an uncertainty relation [Damgard et al. 2005 



2007 [ Konig et al. , 2012 1. We will describe several applications of uncertainty relations 



in Chapter [4] and Section |5.4[ For more details on entropic uncertainty relations and their 



applications, see the survey [Wehner and Winter 20 1 1 . 

Notation Instead of talking about uncertainty relations for a set of bases, it is more 
convenient here to talk about uncertainty relations for a set of unitary transformations. Let 
{|^) C }a be the computational basis of C . We associate to the unitary transformation U the 
basis {U^\x)} x . On a state \ip), the outcome distribution is described by 

pum(x) = \(x\u\ijj}\ 2 . 

As can be seen from this equation, we can equivalently talk about measuring the state U\ip) 
in the computational basis. An entropic uncertainty relation for U%, . . . , Ut can be written as 
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(3.3) 



3.2 Metric uncertainty relations 



Even though entropy is a good measure of randomness, it is usually easier to work with the 
distance to the uniform distribution when the distance is small. This will be our approach 
here: our measure of uncertainty will be the closeness in total variation distance to the 
uniform distribution. In other words, we are interested in sets of unitary transformations 
U 1} ... } U t that for all e C satisfy 



for some e e (0, 1). A(p, q) refers to the total variation distance between distributions p and 
q. This condition is very strong, in fact too strong for our purposes, and we will see that a 
weaker definition is sufficient to imply entropic uncertainty relations. Let C — A <g) B. (For 
example, if C consists of n qubits, A might represent the first n — log n qubits and B the last 
\ogn qubits.) Moreover, let the computational basis for C be of the form {\a) A ® \b) B } a ,b 
where {|a}} and {\b}} are the computational bases of A and B. Instead of asking for the 
outcome of the measurement on the computational basis of the whole space to be uniform, 
we only require that the outcome of a measurement of the A system in its computational 
basis {|a)} be close to uniform. More precisely, we define for a e [cIa], 



6=1 

We can then define a metric uncertainty relation. Naturally, the larger the A system, the 
stronger the uncertainty relation for a fixed B system. 

Definition 3.2.1 (Metric uncertainty relation). Let A and B be Hilbert spaces. We say that a 
set {Ui, . . . ,Ut} of unitary transformations on AB satisfies an e-metric uncertainty relation 
on A if for all states e AB, 



$^ A (miV>> unif ([ rf c])) < e 



<i^(«) = Eih>i^>i 2 - 




(3.4) 
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Remark. Observe that this implies that ( |3.4| ) also holds for mixed states: for any ip e 

S{A®B), lEU A (<^t> Unif([dA]) ) " e 

Note that there is a reason we are looking at the average over the different values of k 



rather that some other quantity. In fact we can rewrite the condition (3.4) as 



A (q m , unif(M) x unif ([*])) < e, (3.5) 

where q\^\ is the distribution on [d^] x [t] of the random variable (X, K), where X refers to 
the outcome of the computational basis measurement when it is performed on state Uk\?P)- 
This means that even given the measurement K that was performed, the outcome of the 
measurement is still e-close to uniform. 

Metric uncertainty relations imply entropic uncertainty relations In the next 
proposition, we show that a metric uncertainty relation implies an entropic uncertainty 
relation. 

Proposition 3.2.2. Let e G (0, 1/2) and {Ui, . . . , U t } be a set ofunitaries on AB satisfying 
an e-metric uncertainty relation on A: 



1 

Then 



t 

k=l 



l - K(Pu k m) > (1 - 8e) \ogd A - 2h 2 (2e). 

k=l 

where h 2 (e) = — eloge — (1 — e) log(l — e) is the binary entropy function. 



Proof Recall that the distribution Pu k \^p) ( see equation ( |3.4| ) for a definition) on [d^\ is a 

w)- Tnus u (pu k m) > u (Pu k ,\^ 



marginal of the distribution Pu k \^)- Thus H(p Uk ^) > H(p^ Using Fannes' inequality 



(a special case of the Alicki-Fannes inequality 2.2.5 ), we have for all k 



K(Pu k ,m) > " 8 A «|^>> unif (MA])) \ogd A - 2h 2 (2A(p^ fcW ,unif([dx]))) ■ 

By averaging over k, and using the concavity of h 2 , we obtain the desired result. □ 



Explicit link to low-distortion embeddings Even though we do not explicitly use the 
link to low-distortion embeddings, we describe the connection as it might have other 
applications. In the definition of metric uncertainty relations, the distance between 
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distributions was computed using the trace distance. The connection to low-distortion metric 
embeddings is clearer when we measure closeness of distributions using the fidelity. We 
have 

F« w ,unif([^])) = J2\fti k \ 



a=l 



dv>r 



-i d A 

nr. ^ 



a=l \ b=l 



d-B 



j2\(a\ A (b\ B mw 



\u k 



where the norm if (£2) is defined by 
Definition 3.2.3 (^1(^2) norm). For a state 



Ea^a, b \a) A \b) B , 



We use || ■ || 12 = || ■ ||^(^s) when the systems A and B are clear from the context. 

Observe that this definition of norm depends on the choice of the computational basis. 
The if (if) norm will always be taken with respect to the computational bases. 
For {Ui, . . . , U t } to satisfy an uncertainty relation, we want 

This expression can be rewritten by introducing a new register K that holds the index k. We 
get for all 

>{l-e)^t~d~ A . (3.6) 
Using the Cauchy-Schwarz inequality, we have that for all 



K 



< \/t ■ d t 



K 



Vt ■ d A . (3.7) 



Rewriting (3.6) and (3.7) as 



(1-6) < 



K 



< 1, 
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£g> \k) is an almost 
i — y 
into 



we see that the image of C by the linear map \ip) >-)■ 

Euclidean subspace of (A <S) K <g) B, £f K (£ 2 ))• In other words, as the map 
^X/fe^felV') ® |&) i s an isometry (in the £ 2 sense), it is an embedding of (C,£ 2 
(AKB, £? K {£ 2 )) with distortion 1/(1 - e). 

Observe that a general low-distortion embedding of (C, £2) into (AKB, £f K (£% )) does 
not necessarily give a metric uncertainty relation as it need not be of the form \ip) h> 
^ ^2 k Uk\ip) <g> \k). When £ = 2, a metric uncertainty relation is related to the notion 
of Kashin decomposition [Kashin[ [1977[; see also [|Pisier[ [T989[ |Szarek"l [2006] . 



A remark on the composition of metric uncertainty relations There is a natural 
way of building an uncertainty relation for a Hilbert space from uncertainty relations on 
smaller Hilbert spaces. This composition property is also important for the cryptographic 
applications of metric uncertainty relations presented in Chapter |4} in which setting it 
ensures the security of parallel composition of locking schemes. 

Proposition 3.2.4. Consider Hilbert spaces A\, A 2 , B h B 2 . Fori 6 {1,2}, let {U^^h^M 
be a set of unitary transformations of Ai <S> Bi satisfying an e-metric uncertainty relation on 
Ai. Then, {U^ <g> U^} k lt k 2 £{ti]x{t 2 ] satifies a 2e-metric uncertainty relation on Ai ® A 2 . 

Proof Let E (A\ £g> B\) ® (A 2 eg) B 2 ) and let Pk lt k 2 denote the distribution obtained by 
measuring (g) Uj^\ij}) in the computational basis of A\ £g> A 2 . Our objective is to show 
that 

-!- Yl A^^umf^] x [d Aa ])) < 2e. (3.8) 
fcie[ti],fc 2 e[t 2 ] 

We have 



A(p klM ,umf([d Al ] x [d A2 ])) 



< 



PftiM l> a 2j - 



-T, 

2 ^ 

a\,a 2 

2 ^ 

Ol, 02 



1 



Pfcl,fe( a l5°2j - 



d Al d A2 



«i 



"2 



<^A 2 
Pfci,fc 2 ( a l) a 2 



2 ^ 

ai,a 2 
1 



Ml 2 



d A,d 



A i a A 2 



a 1 



d Al 



(3.9) 



(3.10) 



where P^k 2 ( ai ) ^ Sa 2 Pfci,fc 2 ( a i> a 2) is the outcome distribution of measuring the A\ 
system of ® f/^l^)- The distribution can also be seen as the outcome of 



3.3. Metric uncertainty relations: existence 



24 



measuring the mixed state 



in the computational basis {|ai)}. Thus, we have for any k 2 G [t 2 ] 



^A(p5 2 ,unif([^]))<, 

Moreover, for a\ G [d^A, the distribution on [d^ 2 ] defined by Pkl jf 2 ^ ai ' a2 ^ [ s outcome 
distribution of measuring in the computational basis of A 2 the state 

7-/(2) ./.A2B2 7-/(2) t 

where V^f 2 i s m e density operator describing the state of the system A 2 B 2 given that the 

(2) 

outcome of the measurement of the A\ system is a\. We can now use the fact that {U^ '} 
satisfies a metric uncertainty relation. Taking the average over k\ and k 2 in equation d3T0) >, 
we get 

-r Yl A (^i I fc2 ) unif (MA 1 ] x [d A , 2 ])) < 2e. 



1 2 fej 



□ 



This observation is in the same spirit as [Indyk and Szarek, 2010, Proposition 1], and 
can in fact be used to build large almost Euclidean subspaces of ii(£ 2 )- 



3.3 Metric uncertainty relations: existence 



In this section, we prove the existence of families of unitary transformations satisfying 
strong uncertainty relations. The proof proceeds by showing that choosing random unitaries 
according to the Haar measure defines a metric uncertainty relation with positive probability. 
The techniques used are quite standard and date back to Milman's proof of Dvoretzky's 
theorem [Figiel et al. 1977 Milman[ 1971 1. A version of Dvoretzky's theorem states that 
for any norm || ■ || over C d , there exists a "large" subspace E C C d which is almost Euclidean, 
i.e., for all x G E, (1 — e)||a;|| 2 < < (1 + e)||#||2 for some constant e > and scaling 
factor s. Using the connection between uncertainty relations and embeddings of £ 2 into 



^1(^2) presented in the previous section, Theorem 3.3.2 can be viewed as a strengthening of 



Dvoretzky's theorem for the £1 (£ 2 ) norm [Milman and Schechtman 1986 1. 

General techniques from asymptotic geometric analysis have recently found many 



applications in quantum information theory. For example, Aubrun et al.| [ |20l0| show that the 
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existence of large subspaces of highly entangled states follows from Dvoretzky's theorem 
for the Schatten p-norrd3 for p > 2. This in turns shows the existence of channels that 
violate additivity of minimum output p-Renyi entropy as was previously demonstrated by 
Hayden and Winter] ]2008| |. Using a more delicate argument, |Aubrun et al.|]201 T| were also 



able to recover Hastings' counterexample to the additivity conjecture [Ha stings[|2009| . The 
general strategy that is used to prove such results is to define a distribution over the set of 
objects one is looking for and use concentration of measure tools to prove that the desired 
properties can be satisfied with positive probability. 



For Theorem 3.3.2 we need to introduce the Haar measure over the unitary group 
U(d). A natural way of defining a uniform measure over a group is to ask the measure 
of a subset to be invariant under multiplication by elements of the group. In particular, for 
the unitary group, consider measures p on the unitary transformations of C d that satisfy 
p(S) = p({U ■ M : M E S}) for all measurable sets S C U(d) and unitaries U E U{d), 
It follows from Haar's theorem that there is a unique probability measure that satisfies this 
condition. 

Definition 3.3.1 (Haar measure). The Haar measure pd on the set of unitary transformations 
on C d is the unique probability measure that is invariant under multiplication by a unitary 
operation. 

We can then define a rotation invariant probability measure on pure states of C d by 
considering the distribution ofU\0) where U ~ pd and |0) is any unit vector in C d . We say 
that U\0) is a random pure state. 

We need another definition before stating the theorem. For some applications^] 
we require an additional property for {U\, . . . , U t }. A set of unitary transformations 
{Ui, . . . , Ut} of C d is said to define 7-approximately mutually unbiased bases (7-MUBs) 
if for all elements \x) and \y) of the computational basis and all k ^ k', we have 

\{x\UlUM\ < J^. (3.11) 
1-MUBs correspond to the usual notion of mutually unbiased bases. 



Theorem 3.3.2 (Existence of metric uncertainty relations). Let c = 9n 2 and e E (0, 1). Let 
A and B be Hilbert spaces with dim B > 9/e 2 and d = dim A® B > 9c '^ 2?r . Then, for all 
t > 4 ' 18c ' 1 ^( 9 /' ; ) > there exists a set {U\, . . . ,U t } of unitary transformations of AB satisfying 



2 The Schatten p-norm of a matrix M is defined as the £ p norm of a vector of singular values of M. 
3 Quantum hiding fingerprints studied in Section 4.1.5 
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an e-metric uncertainty relation on A: for all states G AB, 

1 * 

- t J2 A (pu k \^ uni ^ d ^)^ e - 

k=l 

Moreover, for 7 e (0,1) and d such that 4t 2 d 2 exp (— d 1-7 ) < 1/2, the unitaries 
{Ui, . . . , Ut] can be chosen to also form ^y-MUBs. 

Remark. The proof proceeds by choosing a set of unitary transformations at random. See 
p.!5[ ) and ( |3.16[ ) for a precise bound on the probability that such a set does not form a metric 



uncertainty relation or a 7-MUB. 

Proof The first step is to evaluate the expected value of A (pfj^, unifQc/^]) j for a fixed 
state \ip) when U is a random unitary chosen according to the Haar measure. Then, we 
use a concentration of measure argument to show that with high probability, this distance 
is close to its expected value. After this step, we show that the additional averaging 
I Ylk=i ^ {Pu k \ip)i un if([^])j of t independent copies results in additional concentration 
at a rate that depends on t. We conclude by showing the existence of a family of unitaries 
that makes this expression small for all states \tp) using a union bound over a <5-net. The four 
main ingredients of the proof are precisely stated here but only proved in Appendix [AT 



We start by computing the expected value of the fidelity E ^F^p^^, unifQe^]) J j> 
which can be seen as an £1(^2) norm. 

Lemma 3.3.3 (Expected value of if {^2) over tne sphere)- Let \ tp) AB be a random pure state 
on AB. Then, 

E{F(pf^unif([d A ]))}>^l-j-. 



We then use the inequality A(p, a) < \ll — F(p, a) 2 to get 



E {A(^ } ,unif([^]))} < E Ul - F(p^mf{[d A \) 
By the concavity of the function x h-> ^/\ — x 2 on the interval [0, 1], 



E{A(pjJ ) ,imif([d A ]))} < Jl-E{F(pj* ) ,imif([d il ]) 



1 

d B 
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The last inequality comes from the hypothesis of the theorem that ds > 9/e 2 . In other 
words, for any fixed \ip), the average over U of the trace distance between P^u\ and the 
uniform distribution is at most e/3. The next step is to show that this trace distance is close 
to its expected value with high probability. For this, we use a version of Levy's lemma 
presented in Mil man and Schechtman|p986| . 



Lemma 3.3.4 (Levy's lemma). Let f : C d — > M. and r\ > be such that for all pure states 

\if 2 ) in <C d , 

|/(|^)) - /(|^»| < vWM- 

Let \(p) be a random pure state in dimension d. Then for all < 5 < rj, 
Pr{\f(\<p)) -E{f(\<p))} | > 6} < 4exp (-— 2 

where c is a constant. We can take c = 9n 2 . 

We apply this concentration result to / : \<p) AB >->■ A (pfy, waif ([dA\)\ We start by 
finding an upper bound on the Lipshitz constant rj. For any pure states \<fi) AB and \^2) AB , 
we have 

l/(bi))-/(b 2 ))l<A«,^ 2 ) 

1 . 

< 



a,b 



|(a|^(6| B |^)| 2 -^|(a|>| B b 2 )| ; 



= A(p lvi> ,p lva> ) 

< \l l - F (P\Vl)lP\<P2)) 2 

< y/2(l- F( Plv>lhPM )) 



l2-2^\(a\(b\M\.\(a\(b\M\ 



a,b 



/ElN»i>l-IH»2>l| 



a,b 



< \\M- Mh- (3.i2) 

The first two inequalities follow from the triangle inequality. The third inequality is an 
application of ( |2.1[ ). The fourth inequality follows from the fact that 1 — x 2 < 2(1 — x) for 



all x € [0, 1]. The last inequality follows again from the triangle inequality. Thus, applying 
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Lemma [3. 3 A\ we get for all < 5 < 1, 



PrjlA^unifa^])) -fi\ >S} <4exp 



5 2 d 



(3.13) 



where /i = E | A fpj 1 ^, unifQc^]) j |. The following lemma bounds the tails of the average 
of independent copies of a random variable. 

Lemma 3.3.5 (Concentration of the average). Let a, b > 1, 5 G (0, 1) and t be a positive 
integer. Suppose X is a random variable with mean satisfying the tail bounds 

Pr {X > rj} < ae- br}2 and Pr {X < -r]} < ae~ bv2 . 



Let Xi, . . . X t be independent copies of X. Then if5 2 b > 16a 2 7r, 

S 2 bt 



Pr 



k=l 



> 5 > < exp 



We apply the above Lemma with X k = A {pu k \^), unifQc/^]) j — /i which satisfies the 
bound ( |3.13[ ) in addition to being bounded in absolute value by 1. Taking 5 = e/3 and using 
(which we can apply because we have (e/3) 2 • - > 16 • 4 2 • n), we get 



Lemma 



3.3.5 



Pr 



1 * 



k=l 



> e/3 } < exp - 



1 (e/3) 2 ^ 



Using this together with Lemma [3 .3 .3[ we have 

t 



Prji^A^.umfC^)) >2e/ 3 | < exp (-^j . 



(3.14) 



We would like to have the event described in (3.14) hold for all 



> G AB. For 

this, we construct a finite set M of states (a 5-net) for which we can ensure that 
I ELi a (pu k m> unif([d A ])) < 2e/3 for all |^>) G A/" holds with high probability. 

Lemma 3.3.6 (<5-net). Let 5 G (0, 1). There exists a set Af of pure states in C d with 
|-A/] < (3/<5) 2d smc/i that for every pure state G C d (i.e., \\\ip}\\2 = lj» ffere existe 
|^) G jV such that 

~ | 2 <* 
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Let J\f be the e/3-net obtained by applying this lemma to the space AB with 5 = e/3. 
We have 



Prja^) eM: ^A«^,unif([d A ])) > 2e/3 

. , / e 2 td" 
< \Af \ • exp 



18c 



<exp y- d [^- c -21n(9/e; 

Now for an arbitrary state |-0) G AB, we know that there exists |^) G A/" such that 
II W) ~ 1^) lb < e /3. As a consequence, for any unitary transformation U, 



A(^ w ,unif([^])) < Afp^unifa^Dj + A(p^ ) ,p^ 
<A{p^ y nmf([d A ])) + \\U\i>)-U\^\\ 2 
<A(p£ m ,umf([d A ]))+e/3. 

In the first inequality, we used the triangle inequality and the second inequality can be 



derived as in (3.12). Thus, 



Pr ja|V>> G AB : ^A(^ w ,unif([d A ])) > ej < exp (-d ^ -21n(9/e)^ . 

(3.15) 

If t > 4,18c e 1 ° (9/£) , this bound is strictly smaller than 1 /2 and the result follows. 

To prove that we can suppose that {U\, . . . , U t } define 7-MUBs, consider the function 
/ : \ip) \-t (?p\(p) for some fixed vector \ip). Then, if \ip) is a random pure state, we have 
E {/(|^))} = 0. Moreover, using Levy's Lemma with 5 = dr^l 2 

Pr{KVb)| > ^ _7/2 } < 4exp {~~^ 
Thus, 

Pr |eI&; 7^ k',x,y G [d], | (a; | 2/) | > d~ 7 j < 4t 2 cPexp (~~~T~^ ( 3 - 16 ) 

which completes the proof. □ 

Corollary 3.3.7 (Existence of entropic uncertainty relations). Let C be a Hilbert space of 
dimension d > 2. There exists a constant d > 1 such that for any integer t > 2 such that 
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sasiogf — ^' there exists a set {U\, . 
following entropic uncertainty relation: for any state 



Ut) of unitary transformations of C satisfying the 



u k \i>), 



> 



k=l 



d log t 



t 



log d — loe 



18t 



2h, 



d log t 
T 



d\ogt / 

In particular, in the limit d — > oo, we obtain the existence of a sequence of sets of t bases 
satisfying 



d^-oo log d ~ 



d log t 
t ' 



Remark. Recall that the bases (or measurements) that constitute the uncertainty relation are 
defined as the images of the computational basis by U\. Note that for any set of unitaries 

{U u . . . , U t }, we have 



< 



k=l 



log d. 



It is an open question whether there exists uncertainty relations matching this bound, even 
asymptotically as d — > oo [ Wehner and Winter] 2010 1. Wehner and Winter [2010 1 ask 
whether there even exists a growing function / such that 

Um l ELi H (PtW)) >1 1 

d-s>oo t hgd ~ f(t) ' 



The corollary answers this question in the affirmative with f{t) = 

Proof Define d = 5 • 18c where c comes from Levy's Lemma 
decompose C = A <g> B with d B = \9/e 2 ] . As d > 



d log t ' 



9c-16 2 



3.3.4 



c' log t 

t 



and 



and 



4- 18clog(9/e) 



4 • 18c log 



t 



t 



c'logtj 5 -18c log t 



< t. 



we get a family Ux, ■ ■ ■ , U t of unitary transformations that satisfies 



1 * 



k=l 



By Proposition 3.2.2 these unitary transformations also satisfy an entropic uncertainty 
relation: 



u k \i>), 



> (1 - 8e)log 



fc=i 



d 



2h 2 (2e) 



[9/6 2 ] 

> (1 - 8e) hgd - log(18/e 2 ) - 2/i 2 (2e). 



□ 
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3.4 Metric uncertainty relations: explicit construction 

In this section, we are interested in obtaining families {Ui, . . . , U t } of unitaries satisfying 
metric uncertainty relations where Ui, . . . , U t are explicit and efficiently computable using 
a quantum computer. For this section, we consider for simplicity a Hilbert space composed 
of qubits, i.e., of dimension d = 2 n for some integer n. This Hilbert space is of the form 
A £g> B where A describes the states of the first logrf^ qubits and B the last logde qubits. 
Note that we assume that both cLa and d B are powers of two. 

We construct a set of unitaries by adapting an explicit low-distortion embedding of 



(R d ,£ 2 ) into (R d ',£i) with df = rf 1+o(1) by Indyk [2007|. Indyk's construction has two 



main ingredients: a set of mutually unbiased bases and an extractor. Our construction uses 
the same paradigm while requiring additional properties of both the mutually unbiased bases 
and the extractor. 

In order to obtain a locking scheme that only needs simple quantum operations, we 
construct sets of approximately mutually unbiased bases from a restricted set of unitaries 
that can be implemented with single-qubit Hadamard gates. Moreover, we impose three 
additional properties on the extractor: we need our extractor to be strong, to define a 
permutation and to be efficiently invertible. We want the extractor to be strong because we 
are constructing metric uncertainty relations as opposed to a norm embedding. The property 
of being a permutation extractor is needed to ensure that the induced transformation on 
(C 2 )® n preserves the £ 2 norm. We also require the efficient invertibility condition to be able 



to build an efficient quantum circuit for the permutation. See Definition 3.4.4 for a precise 
formulation. 

The intuition behind Indyk's idea is as follows. Let Vi, . . . , V r be unitaries defining 
(approximately) mutually unbiased bases (see equation ( |3.17| )) and let {P y } yeS be a 



permutation extractor (Definition 3.4.4). The role of the mutually unbiased bases is to 
guarantee that for all states and for most values of j G [r], most of the mass of the 
state Vj\ip) is "well spread" in the computational basis. This spread is measured in terms 
of the min-entropy of the distribution pv \ip)- Then, the extractor {P y } y will ensure that on 
average over y G S, the masses J2 b | (o| (b\P y Vj \ip) \ 2 are almost equal for all a G [d^] . More 
precisely, the distribution Pp v^) * s c l° se t0 uniform. 

We start by recalling the definition of mutually unbiased bases. A set of unitary 
transformations Vi, . . . ,V r is said to define ^-approximately mutually unbiased bases (or 
7-MUBs) if for i 7^ j and any elements \x) and \y) of the computational basis, we have 

\{x\V^\ y )\ < ^j- 2 . (3.17) 



3.4. Metric uncertainty relations: explicit construction 



32 



As shown in the following lemma, there is a construction of mutually unbiased bases 



that can be efficiently implemented [ Wootters and Fields , 1989] 



Lemma 3.4.1 (Quantum circuits for MUBs). Let nbea positive integer and d = 2 n . For any 

integer r < d+1, there exists a family V\, . . . , V r of unitary transformations ofC d that define 
mutually unbiased bases. Moreover, there is a randomized classical algorithm with runtime 
0(n 2 polylog n) that takes as input j G [r] and outputs a binary vector a j G {0, l} 2n_1 , and 
a quantum circuit of size 0(n polylog n) that when given as input the vector ctj (classical 
input) and a quantum state \ip) G C d outputs Vj\ijj). 

Remark. The randomization in the algorithm is used to find an irreducible polynomial of 
degree n over F 2 [X] . It could be replaced by a deterministic algorithm that runs in time 
0(n 4 polylog n). Observe that if n is odd and r < (d + l)/2, it is possible to choose the 
unitary transformations to be real (see Heath et al. ]2006 |). 

Proof We define V\ = id, and the remaining unitaries are indexed by binary vectors 
u G {0, l} n , for example the binary representations of integers from to r — 2. The 
construction is based on operations in the finite field F 2 ». The field F 2 n can be seen as 
an n-dimensional vector space over F 2 . Choose 6 G F 2 n such that 1,9, ... , Q n ~ x form a 
basis of F 2 n. For any x,y G [n], 9 X ■ 9 y G F 2 n can be decomposed in our chosen basis 
as 9 X ■ 9 y = Y^e=o m i{ x i V)® 1 f° r some me(x,y) G F 2 . We can thus define the matrices 
Mq, Mi, . . . , M n _x from the multiplication table 



1 
9 

n-1 



\ 



1 9 



in— l 



M + M 1 9 + --- + M n _ x 9 



n-1 



\ 9 n ~ x j 



where M e = (m t (x, y)) x ,ye[n\- F° r a given u G {0, l} n , we define the matrix 

n-1 

Notice that as 9 X ■ 9 y = 9 x+y , the entry N u (x,y) of N u only depends on x + y, i.e., 
N u (x,y) = N u (x',y') if x + y = x' + y' . So we can represent this matrix by a vector 
ctu( x + y) = N u (x, y) of length 2n — 1. We then define a Z 4 -valued quadratic form by: for 

v G {0, l} n , 

T u (v) = v T N u v mod 4. 
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Note that the operations v T N u v are not performed in F 2 but rather in Z. Using the vector 
a u , we can write 

2n-2 / z \ 

T u{v) = ^2 v x N u (x,y)v y mod 4 = ^ ^ v x v z - x a u (z) mod 4 



x,ye[n] 



z=0 \x=0 



if we define v x = for x > n. We then define the diagonal matrix D u = diag (i Tu ^) ve¥ „ 
Finally, we define for 2 < j < r, 

Vj = D bin(j _ 2 )H® n 

where bin(j) G {0, 1}™ is the binary representation of length n of the integer j. 



The fact that these unitaries define mutually unbiased bases was proved in Wootters and 



Fields| pT989]. We now analyse how fast these unitary transformations can be implemented. 
Note that we want a circuit that takes as input a state together with the index j of the 
unitary transformation and outputs Vj\ip). 

Given the index j as input, we show it is possible to compute u = bin(j — 2) and 
compute the vector <x, = a u in time 0(n 2 polylog n). In fact, we start by computing a 
representation of the field F 2 ™ by finding an irreducible polynomial Q of degree n in F 2 [X] , 
so that F 2 n = ¥ 2 [X]/Q. This can be done in expected time 0(n 2 polylogn) (Corollary 
14.43 in the book |von zur Gathen and Gerhard| Q1999] ). There also exists a deterministic 



algorithm for finding an irreducible polynomial in time 0(n 4 polylogn) [Shoup 1990 1 . We 
then take 9 = X. Computing the polynomial X x ■ X y = X x+y mod Q can be done in time 



0{n polylogn) using the fast Euclidean algorithm (see Corollary 11.8 in von zur Gathen 



and Gerhard [ 1999 1). As x + y G [0, 2n — 2] , we can explicitly represent all the polynomials 
X z for < z < 2n — 2 in time 0(n 2 polylog n). It is then simple to compute the vector a u 
using the vector u in time 0(n 2 ). 

To build the quantum circuit, we first observe that applying a Hadamard transform only 
takes n single-qubit Hadamard gates. Then, to design a circuit performing the unitary 
transformation -Dbin(j-2)> we start by building a classical circuit that computes 



2n-2 



V X V Z 



2 = 



v x=0 



on inputs v and a u . Observing that Yl x 



x =0 v xVz-x 



a u (z) mod 4 



is the coefficient of Y z in the polynomial 



(Z]"=o v xX x ) - we can use fast polynomial multiplication to compute T u (v ) in time 



0(n polylog n) (Corollary 8.27 in von zur Gathen and Gerhard 1 1999]). This circuit can be 



transformed into a reversible circuit with the same size (up to some multiplicative constant) 
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that takes as input (v, oij, g) where v G {0, 1}™, aj G {0, l} 2n 1 and g G Z 4 , and outputs 
(v,aj,g + T u (v) mod 4). 

This reversible classical circuit can be readily transformed into a quantum circuit that 
computes the unitary transformation defined by W : \v)\g) i-> \v)\g + T u {v) mod 4). 
Recall that we want to implement the transformation D u : \v) i-> i T «w|t;) efficiently. This 
is simple to obtain using the quantum circuit for W. In fact, if we use a catalyst state 
|0) = |0) - |2) +z|3), we have 

W\v)\<f>) = i T ^\v)\<f>) = Ariny-2)k>l^>- 
Finally, D bin (j_ 2 ) H® n can be implemented by a quantum circuit of size O (n polylog n) . □ 

It is also possible to obtain approximately mutually unbiased bases that use smaller 
circuits. In fact, the following lemma shows that we can construct large sets of 
approximately mutually unbiased bases defined by unitaries in the restricted set 

U = {H v = H Vl ® • • • ® H Vn , v G {0, 1}™}, 

where H is the Hadamard transform on C 2 defined by 

1 



H 




1 



In our construction of metric uncertainty relations (Theorem 3.4.6), we could use the 1- 
MUBs of Lemma |3A1~| or the (1/2 - <5)-MUBs of Lemma [3A2| As the construction of 
approximate MUBs is simpler and can be implemented with simpler circuits, we will mostly 
be using Lemma |3.4.2| 

Lemma 3.4.2 (Approximate MUBs in W). Let n' be a positive integer and n = 2"'. 

1. For any integer r < n, there exists a family Vi, . . . , V r G 7i that define l/2-MUBs. 

2. For any 5 G (0, 1/2), there exists a constant c > independent of n such that for any 
r < 2 cn there exists a family V\, . . . ,V r of unitary transformations in H that define 
(1/2 - 5) -MUBs. 

Moreover, in both cases, given an index j G [r], there is a polynomial time (classical) 
algorithm that computes the vector v G {0,1}™ that defines the unitary Vj = H v . 

Proof Observe that for any v G {0, l} n and any y G {0, l} n , we have 
IP (|yi> ® • • • ® \y n )) = JT*|yi> ® • • • <g> H*"\y n ) = ' ' " ^»>' 
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where w(v) is the number of non-zero components of v. Thus, 

\{x\H v H"'\y)\ = \{x\H^'\y)\ < 2 ,J y)/2 , (3.18) 

where d H (v,v') = {% : Vi ^ v[} is the Hamming distance between the two vectors v and 
v'. Using this observation, we see that a binary code C C {0, l} n with minimum distance 
772 defines a set of 7-MUBs in H. It is now sufficient to find binary codes with minimum 
distance as large as possible. For the first construction, we use the Hadamard code that 
has minimum distance n/2. The Hadamard codewords are indexed by x G {0, l} n '; the 
codeword corresponding to x is the vector v G {0, l} n whose coordinates are v z = x ■ z for 
all z G {0, l} n '. This code has the largest possible minimum distance for a non-trivial binary 
code but its shortcoming is that the number of codewords is only n. For our applications, it 
is sometimes desirable to have r larger than n (this is useful to allow the error parameter e 
of our metric uncertainty relation to be smaller than n~ l l 2 ). 

For the second construction, we use families of linear codes with minimum distance 
(1/2 — S)n with a number of codewords that is exponential in n. For this, we can use Reed- 
Solomon codes concatenated with linear codes on {0, l} e(n ') that match the performance 
of random linear codes; see for example Appendix E in Goldreich [2008]. For a simpler 
construction, note that we can also get 2 n (^ codewords by using a Reed-Solomon code 
concatenated with a Hadamard code. □ 

The next lemma shows that for any state for most values of j, the distribution PVj\tp) 
is close to a distribution with large min-entropy provided {Vj} define 7-MUBs. This result 
might be of independent interest. In fact, Damg ardet al.| [ |2007[ | prove a lower bound close 
to n/2 on the min-entropy of a measurement in the computational basis of the state U\ip) 
where U is chosen uniformly from the full set of the 2 n unitaries of H. They leave as an 
open question the existence of small subsets of H that satisfy the same uncertainty relation. 
When used with the 7-MUBs of Lemma [3 .4.2 , the following lemma partially answers this 
question by exhibiting such sets of size polynomial in n but with a min-entropy lower bound 
close to n/4 instead. This can be used to reduce the amount of randomness needed for many 
protocols in the bounded and noisy quantum storage models. 

Lemma 3.4.3. Let n > l,d = 2 n and e G (0, 1) and consider a set of r = unitary 
transformations V±, . . . , V r ofC d defining j-MUBs. For all G C d , 

|j G [r] : 3q j ,A(p VjM , q-) < e and H min (g,-) > — - log(8/e 2 )| > (1 - e)r. 

Proof This proof proceeds along the lines of [Indyk, 2007 [ Lemma 4.2]. Similar results 
can also be found in the sparse approximation literature; see [ Tropp[ 2004[ Proposition 4.3] 
and references therein. 
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Consider the rd x d matrix V obtained by concatenating the rows of the matrices 
Vi, . . . , V r . For S C [rd], Vs denotes the submatrix of V obtained by selecting the rows 
in S. The coordinates of the vector V\ip) E C rd are indexed by z E [rd] and denoted by 

(V\1>)),. 

Claim. We have for any set S C [rd] of size at most d"^ 2 and any unit vector \ip), 

\\(Vms\\l<l + ^. (3.19) 

To prove the claim, we want an upper bound on the operator 2-norm of the matrix (Vs), 
which is the square root of the largest eigenvalue of G = VgVs- As two distinct rows of 
V have an inner product bounded by ^72, the non-diagonal entries of G are bounded by 

. Moreover, the diagonal entries of G are all 1. By the Gershgorin circle theorem, all the 



eigenvalues of G lie in the disc centered at 1 of radius ^7^. We conclude that (|3.19[) holds. 



Now pick S to be the set of indices of the d 7 ' 2 largest entries of the vector 
{K^lV ; ))z| 2 }zeM- Using the previous claim, we have || (V|'0))s||| < 2. Moreover, 
since S contains the d^l 2 largest entries of {|(V|"0}).z| 2 }z> we have that for all z S, 
|(W»*| 2 ^ 2 < \\Vm\ 2 2 = E;=i = r. Thus, for all z i S, \(Vm z \ 2 < 

We now build the distributions qj. For every j E [r], define 



E iw»*i 2 , 

zesn{(j-i)d+i,...,jd} 



which is the total weight in S of Vj\ip). Defining T e = {j : Wj > e}, we have 

|T e |e<||(V|V>))s|||<2.Thus, 

\T e \ < 2/e < er. 
We define the distribution qj for j E [r] by 

+ f if(j-l)d + x<£S 



Since 




if (j -i)d + xeS. 



E^)=%+ E iw#>i 2 = Ek*- 

x x€[d]:(j-l)d+x£S xe[d] 

qj is a probability distribution. Moreover, we have that for j T e 

^pv^)<\[ E n j + E (f + iw#)r) ] =^< e . 

\x:(j-l)d+x$.S x:(j-l)d+xeS 
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The distribution qj also has the property that for all x G [d], qj(x) < + \ < ^72- hi 
other words, H min ( ?i ) > ^ - log(8/e 2 ). □ 

We now move to the second building block in Indyk's construction: randomness 
extractors. Randomness extractors are functions that extract uniform random bits from weak 
sources of randomness. 

Definition 3.4.4 (Strong permutation extractor). Let n and m < n be positive integers, 
£ G [0, n] and e G (0,1). A family of permutations {P y } ye s of {0, l} n where each 
permutation P y is described by two functions P y : {0, l} n — > {0, l} m (the first m output 
bits of P y ) and Py : {0, l} n — >■ {0, l} n ~ m (the last n — m output bits of P y ) is said to be an 
explicit (n, £) — > e m strong permutation extractor if: 

• For any random variable X on {0, l} n such that H m i n (X) > £, and an independent 
seed Us uniformly distributed over S, we have 

A (v4w)' Mj(5x{0lin ) - e ' 

which is equivalent to 

YS\T, A {PPy E (*)> X > m )) ^ ^ (3 " 20) 

1 1 yes 

• For all y G S, both the function P y and its inverse P^ 1 are computable in time 
polynomial in n. 



Remark. A similar definition of permutation extractors was used in |Reingold et al.| J2000 1 



in order to avoid some entropy loss in an extractor construction. Here, the reason we use 
permutation extractors is different; it is because we want the induced transformation P y on 
C 2 " to preserve the £ 2 norm. 



We can adapt an extractor construction of Guruswami et al. [2009| to obtain a 
permutation extractor with the following parameters. The details of the construction are 
presented in Appendix |A. 2 



Theorem 3.4.5 (Explicit strong permutation extractors). For all (constant) 5 G (0, 1), all 

positive integers n, all £ G [clog(n/e), n] (c is a constant independent of n and e), and all 
e G (0, 1/2), there is an explicit (n,£) — > e (1 — 5)£ strong permutation extractor {P y } y£ s 
with log \S\ < 0(log(n/e)). Moreover, the functions (x,y) >-)■ P y (x) and (x,y) 1— > P y 1 (x) 
can be computed by circuits of size 0{n polylog(n/e)). 
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A permutation P on {0, l} n defines a unitary transformation on (C 2 )® n that we also call 
P. The permutation extractor {P y } will be seen as a family of unitary transformations over 
n qubits. Moreover, just as we decomposed the space {0, 1}™ into the first m bits and the 
last n — m bits, we decompose the space (C 2 ) 8 " 1 into A® B, where A represents the first m 
qubits and B represents the last n — m qubits. The properties of {Py} will then be reflected 
in the system A. 



Combining Theorem 3.4.5 and Lemma 3.4.3 we obtain a set of unitaries satisfying a 



metric uncertainty relation. 

Theorem 3.4.6 (Explicit uncertainty relations: key optimized). Let 5 > be a constant, n 
be a positive integer, e G (2~ , 1) (d is a constant independent of n). Then, there exist 
t < (^) c (for some constant c independent of n and e) unitary transformations U\, . . . ,Ut 
acting on n qubits such that: if A represents the first (1 — S)n/A — 0(log(l/e)) qubits and 
B represents the remaining qubits, then for all \ip) G AB, 



1 * 



Pu k m, uni f([ d A})) < e. 



k=l 



Moreover, the mapping that takes the index k G [t] and a state \ip) as inputs and outputs 
the state Uk\if)) can be performed by a classical computation with polynomial runtime and 
a quantum circuit that consists of single-qubit Hadamard gates on a subset of the qubits 
followed by a permutation in the computational basis. This permutation can be computed 
by (classical or quantum) circuits of size 0(n polylog(n/e)). 

Remark. Observe that in terms of the dimension d of the Hilbert space, the number of 
unitaries t is poly logarithmic. 



Proof Let e' = e/6. Lemma 3.4.2 gives r = [2/e /2 ] unitary transformations V\, . . . , V r 
that define 7-mutually unbiased bases with 7 = 1/2 — 5/4. Moreover, all theses unitaries 
can be performed by a quantum circuit that consists of single-qubit Hadamard gates on a 



subset of the qubits. Theorem 3.4.5 with t = (1 — 5/2)n/A — log(8/e /2 ) and error e' gives 
\S\ < 2 cl °s( n / e ') permutations {P y } ye s of {0, l} n that define an (n,£) Hv (1 - 5/2)1 
extractor and are computable by classical circuits of size 0(n poly log(n/e)). We now argue 
that this classical circuit can be used to build a quantum circuit of size 0(n polylog(n/e)) 
that computes the unitaries P y . 

Given classical circuits that compute P and P~\ we can construct reversible circuits 
Cp and Cp-i for P and P^ 1 . The circuit Cp when given input (x, 0) outputs the binary 
string (x, P(x)), so that it keeps the input x. Such a circuit can readily be transformed into 
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a quantum circuit that acts on the computational basis states as the classical circuit. We also 
call these circuits Cp and Cp-i. Observe that we want to compute the unitary P, so we 
have to erase the input x. For this, we combine the circuits Cp and C P -i as described in 



Figure 3.1 Note that the size of this quantum circuit is the same as the size of the original 
classical circuit up to some multiplicative constant. Thus, this quantum circuit has size 
O (n polylog (n /e) ) . 



\x). 





Cp 


\x) \P(x)) 


(Cp-.yi 






\n^))/ >< \ \x) 






10} 









|P(s)> 

|0> 

|0) 



Figure 3.1: Quantum circuit to compute the permutation P using quantum circuits Cp for 
P and Cp-i for P^ 1 . (Cp-i) -1 is simply the circuit C P -\ taken backwards. The bottom 
register is an ancilla register. 



The unitaries {Ui, . . . ,U t } are obtained by taking all the possible products P y Vj for 
j G [r],y G S. Note that t = r\S\. We now show that the set {U\, . . . , U t } satifies the 
uncertainty relation property. Using Lemma 3.4.3 for any state |^), the set 

T m = {j : 3 Qj , A(p VjW , Qj ) < e' and H min ( gi ) > (1 - 6/2)n/A - log(8/e /2 )} 



has size at least (1 — e')r. Moreover, for all a G [d^\, P PyVi \ $\ ( a ) = J2b K a K^I-^/^lV')| 2 = 
Pr {Py(X) = a} where X has distribution Pv^)- By definition, for i G Tj^, we have 
A(p ViW , qi ) < e' with H miQ { qi ) > (1 - 8/2)n/A - log(8/e' 2 ). Using the fact that {P y E } is 
a strong extractor (see ( |3.20[ )) for min-entropy (1 — 5/2)n/A — log(8/e' 2 ), it follows that 



^^A(^ Fi ^,unif([^])) <2e' 

for all i G T\m. As |Tj^\| > (1 — e')r, we obtain 

1 * 

-^A«^,unif([^])) <3e' = e/2. 



t 

k=l 



To conclude, we show that t can be taken to be a power of two at the cost of multiplying the 
error by at most two. In fact, let p be the smallest integer satisfying t < 2 P , so that 2 P < 2t. 
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By repeating 2 P — t unitaries, it is easily seen that we obtain an e-metric uncertainty relation 
with 2 P unitaries from an e/2 -metric uncertainty relation with t unitaries. □ 

Note that the B system we obtain is quite large and to get strong uncertainty relations, we 
want the system B to be as small as possible. For this, it is possible to repeat the construction 
of the previous theorem on the B system. The next theorem gives a construction where the 
A system is composed of n — O(loglogn) — 0(log(l/e)) qubits. Of course, this is at the 
expense of increasing the number of unitaries in the uncertainty relation. 

Theorem 3.4.7 (Explicit uncertainty relation: message length optimized). Let n be a 

positive integer and e G (2~ c ' n , 1) where d is a constant independent of n. Then, there 
exist t < (^y l ° en (f or some constant c independent of n and e) unitary transformations 
Ui, . . . ,U t acting on n qubits that are all computable by quantum circuits of size 
0(n polylog(ra/e)) such that: if A represents the first n — O (log log n) — 0(log(l/e)) qubits 
and B represents the remaining qubits, then for all G AB, 

1 - 

-J2^(Pu k m^niJ{[d A })) <e. (3.21) 

k=l 

Moreover, the mapping that takes the index k G [t] and a state as inputs and outputs the 
state Uk\ip) can be performed by a classical precomputation with polynomial runtime and a 
quantum circuit of size 0(n poly log (n/e)). The number of unitaries t can be taken to be a 
power of two. 



Proof Using the construction of Theorem 3.4.6 we obtain a system A over which we have 



some uncertainty relation and a system B that we do not control. In order to decrease the 
dimension of the system B, we can apply the same construction to that system. The system 
B then gets decomposed into A 2 B 2 , and we know that the distribution of the measurement 
outcomes of system A 2 in the computational basis is close to uniform. As a result, we obtain 
an uncertainty relation on the system AA 2 (see Figure |3T2). 



More precisely, we start by demonstrating a simple property about the composition of 
metric uncertainty relations. Note that this composition is different from the one described 



in p.8[ ), but the proof is quite similar. 

Claim. Suppose the set {U^ , . . . ,U^} of unitaries on A\B\ satisfies a (ti, ex) -metric 
uncertainty relation on system A\ and the \U\ , . . . , U\^' } of unitaries on B\ = 
A 2 B 2 satisfies a (t 2 , e 2 ) -metric uncertainty relation on A 2 . Then the set of unitaries 
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Figure 3.2: Composition of the construction of Theorem 3.4.6 In order to reduce the 
dimension of the B system, we can re-apply the uncertainty relation to the B system. 



(id Al (g> U^) ■ U± \ satisfies a (tit 2 , ei + e 2 ) -metric uncertainty relation on 

fe2 1 J ki,k 2 e[ti]x[t 2 ) 

A 1 A 2 : for all \ip) G A l A 2 B 2 , 

TJ E ^(p u (2) u (i)^ y umi([d Al d A2 ])j<e 1 + e 2 . 
1 2 fci,fc 2 eMxN V fc 2 fc i / 

For a fixed value of £4 G [ij] and ai G [c^J, we can apply the second uncertainty 

relation to the state i^C^mL = r= A 1 £ 6l ((ai\(h\U kl \iP)) \h) G B 1 = A 2 B 2 . 

(«i) 



As {\bi)}b 1 = {\a 2 )\b 2 )} a2tb2 , we have 



r EE ~aT~~{ \ E K«i| Al (a 2 | A2 (fe2i B2 (id Al ® C/ fc2 )C/ fel 



^2 0-2 



d 



A 2 



<e 2 . 



We can then calculate, in the same vein as (3.10) 



kh ^ ^ 

fcl,fc2 < 

^EE 



1 



EK a i| Al ( G 2| A2 (^| B2 (id Al ®^ 2 )f/ fcl 



6 2 



a 2 



fci ai,a2 



^l^)^) 1 



d 4, 



.4i u A2 



fci ai 

< £2 + ei. 

This completes the proof of the claim. 

To obtain the claimed dimensions, we compose the construction of Theorem 3.4.6 h 
times with an error parameter e' = e/h and 5 = 1/8. Starting with a space of n qubits, the 
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dimension of the B system (after one step) can be bounded by 

7 , 7 

-n - 0(log(l/e)) < \ogd B < -n. 

So after h steps, we have 

(7/8) fc n- 0(log(l/e')) • 8(1 - (7/8) h ) < \ogd Bh < (7/8) h n. 

Thus, 

(7/8) h n - 0(log(l/e')) < \ogd Bh < (7/8) h n. 



Note that h cannot be arbitrarily large: in order to apply the construction of Theorem 3.4.6 
on a system of m qubits with error e', we should have e' > 2~ c ' m . In other words, if 

logd Bh > ilog(/i/e), (3-22) 



then we can apply the construction h times. Let c" be a constant to be chosen later and 

i^^Tt) (logn - log(c" log log n + c" log(l/e))) 



h = 
fact, 



. This choice of h satisfies (13. 22b. In 



logd Bh > c" log logn + c"log(l/e) - 0(log(h/e)) 
> ^log(Ve) 
if c" is chosen large enough. Moreover, we get 

\ogd Bh = 2- logn ■ 2 1 °g°( lo g lo s"+ lo g( 1 A)) . n = 0(loglogn + log(l/e)) 

as stated in the theorem. 

Each unitary of the obtained uncertainty relation is a product of h unitaries each obtained 



from Theorem 3.4.6 The overall number of unitaries is the product of the number of 
unitaries for each of the h steps. As a result, we have t < ^j clogn f or some constant 
c. t can be taken to be a power of two as the number of unitaries at each step can be 
taken to be a power of two. As for the running time, every unitary transformation of 
the uncertainty relation is a product of O(logn) unitaries each computed by a quantum 
circuit of size 0(npolylog(n/e)) and can thus be computed by a quantum circuit of size 
0(npolylog(n/e)). □ 

It is of course possible to obtain a trade-off between the key size and the dimension of 
the B system by choosing the number of times the construction of Theorem 3.4.6| is applied. 
In the next corollary, we show how to obtain an explicit entropic uncertainty relation whose 
average entropy is (1 — e)n. 
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Corollary 3.4.8 (Explicit entropic uncertainty relations). Let n > 100 be an integer, and 
e G (lOn -1 / 2 , 1). Then, there exists t < (n\ clos 1 e ^ (far some constant c independent of 
n and e) unitary transformations Ui, . . . ,U t acting on n qubits that are all computable by 
quantum circuits of size O(npolylogn) satisfying an entropic uncertainty relation: for all 
pure states \if)) G (C 2 ) <g "\ 



1 * 

-J2H(Pv k m)> (l-9e)n-2h 2 (2e). 



t 

k=l 



Moreover, the mapping that takes the index k G [t] and a state as inputs and outputs the 
state Uk\ip) can be performed by a classical precomputation with polynomial runtime and 
a quantum circuit of size 0(n polylogn). The number of unitaries t can be taken to be a 
power of two. 



Proof The proof is basically the same as the proof of Theorem 3.4.7 , except that we repeat 
the construction h = [log(l/e)/log(8/7)] times. We thus have 

logc^ < (7/8) h n < en. 



We obtain a set of t < ^j clog< - 1 / e - ) unitary transformations. Applying Proposition 
get 



3.2.2 



we 



t 

i=l 



1 

7 H(Pu k M) > (1 - 8e)(l - e)n - 2h 2 {2t) 
> (l-9e)n-2/i 2 (2e). 

□ 



Chapter 4 

Uncertainty relations for quantum 
measurements: Applications 



Outline of the chapter In this chapter, we give several applications of uncertainty 



relations. We start in Section 4.1 with applications related to information locking which 



all have a cryptographic flavour. In Section 4.2 we consider the communication problem 
called quantum identification. 



4.1 Locking classical information in quantum states 



Outline of the section We apply the results on metric uncertainty relations of the previous 
chapter to obtain locking schemes. After an introductory section on locking classical 



correlations (Section 4.1.1), we show how to obtain a locking scheme using a metric 



uncertainty relation in Section 4.1.2 Using the constructions of the previous chapter, this 
leads to locking schemes presented in Corollaries 4.1.5 and 4.1.7 Section 4X4] discusses 



the existence of error tolerant locking schemes. In Section 4.1.5 we show how to construct 
quantum hiding fingerprints by locking a classical fingerprint. In Section 4.1.6[ we observe 
that these locking schemes can be used to construct efficient string commitment protocols. 



Section 4. 1 .7 discusses the link to locking entanglement of formation. 



4.1.1 Background 



Locking of classical correlations was first described by DiVincenzo et al. [2004| as a 
violation of the incremental proportionality of the maximal classical mutual information that 
can be obtained by local measurements on a bipartite state. More precisely, for a bipartite 
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state u AB , the maximum classical mutual information I c is defined by 

1 C (A\B) W = max 1(1 A ; I B ), 

where {M/ 1 } and {M B } are measurements on A and B, and Ia,Ib are the (random) 
outcomes of these measurements on the state u AB . Incremental proportionality is the 
intuitive property that £ bits of communication between two parties can increase their mutual 



information by at most £ bits. DiVincenzo et al. 1 2004 1 considered the states 



1 2 d 



2d 

fc=l x=l 



where Ux — id and [/ 2 is the Hadamard transform. It was shown by DiVincenzo et al. |2004 1 
that the classical mutual information I C (XK; C% = \ log d. However, if the holder of the 
C system also knows the value of k, then we can represent the global state by the following 
density operator 



co XKCK ' = ^J2J2 I*'" ® l^l* ® (^l*l^) C ® \k)(kf. 



k=l x=l 

It is easy to see that I C (XK; CK') U = 1 + logd This means that with only one bit of 
communication (represented by the register K'), the classical mutual information between 
systems XK and C jumped from | log d to 1 + log d. In other words, it is possible to unlock 
| log d bits of information (about X) from the quantum system C using a single bit. 



Hayden et al. [2004| proved an even stronger locking result. They generalize the state in 



equation ( |4.1[ ) to 

d 



, XKCK' 

td 

x=l k=l 



i x x*r ® i^r ® (^ixxxi^) 07 ® 1^1^' (4.2) 



where are chosen independently at random according to the Haar measure. They show 
that for any e > 0, by taking t = (log d) 3 and if d is large enough, 

l c (X; C% < e log d and I C (XK; CK% = \ogd + log t 

with high probability. Note that the size of the key measured in bits is only logt = 
O (log log d) and it should be compared to the (1 — e) log d bits of unlocked (classical) 
information. It should be noted that their argument is probabilistic, and it does not say 
how to construct the unitary transformations Standard derandomization techniques are 



4.1. Locking classical information in quantum states 



46 



not known to work in this setting. For example, unitary t-designs use far too many bits of 



randomness [Dankert et al. 2009 1. Moreover, using a 5-biased subset of the set of Pauli 
matrices fails to produce a locking scheme unless the subset has a size of the order of the 



dimension d [ Ambainis and Smith 2004 , Desrosiers and Dupuis , 2010 1 (see Section 4.1.3). 

Here, we view locking as a cryptographic task in which a message is encoded into a 
quantum state using a key whose size is much smaller than the message. Having access to 
the key, one can decode the message. However, an eavesdropper who does not have access 
to the key and has complete uncertainty about the message can extract almost no classical 
information about the message. 

Definition 4.1.1 (e-locking scheme). Let n be a positive integer, £ G [0, n] and e G [0, 1]. 

An encoding £ : [2 n ] x [t] — > S(C) is said to be (£, e) -locking for the quantum system C if: 

• For all x^ x' G [2 n ] and all k G [t], A(£(x,k),£(x',k)) = 1. 

• Let X (the message) be a random variable on [2 n ] with min-entropy H m j n (X) > I, 
and K (the key) be an independent uniform random variable on [t\. For any 
measurement {M;} on C and any outcome i, 



A(p x \[i =l ],Px) < e 



(4.3) 



where I is the outcome of measurement {Mi} on the (random) quantum state 
£(X,K). 

When the min-entropy bound t is not specified, it should be understood that £ = n 
meaning that X is uniformly distributed on [2 n ]. The state £(x, k) for x G [2 n ] and 
k G [t] is referred to as the ciphertext. 

Remark. The relevant parameters of a locking scheme are: the number of bits n of the 
(classical) message, the dimension d of the (quantum) ciphertext, the number t of possible 
values of the key and the error e. Strictly speaking, a classical one-time pad encryption, for 
which t = 2 n , is (0, 0)-locking according to this definition. However, here we seek locking 
schemes for which t is much smaller than 2™, say polynomial in n. This cannot be achieved 
using a classical encryption scheme. 

In the remainder of this section, we comment on the definition. We should stress first 
that this is not a composable cryptographic task, namely because an eavesdropper could 
choose to store quantum information about the message instead of measuring. In fact, as 



shown by Konig et al. [ 2007 1 , using the communicated message X as a key for a one-time 



pad encryption might not be secure; see also [Dupuis et al. 2010b |. 
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Thus, a locking map destroys almost all classical correlations with the message, but 
it is impossible to erase all quantum correlations with a key significantly smaller than the 
message. For example, consider a map £ : {0, 1}™ x [t] — > S(C) such that the requirement 



( |4.3[ ) is replaced by I(X; C) w < 5, where I is the quantum mutual information computed 
for the state u XKC = ^ J2 x ,k \ X )( X \ X ® \ k )( k \ K ® £( x > k )° ■ We have 



H(X) = H(X) + U(CK) - H(CK) 

< H(X) + H(C) + H{K) - H{CK). 

Now we use the fact for all k, the states {£(x, k)} x are perfectly distinguishable. Thus, there 
exists an isometry that maps u CK to tu CKX . Hence, m(CK) u = H(CKX) W . As a result, 

H(X) < H(X) + H(C) + H(K) - H(CKX) 
< H{K) + H(X) + H(C) - H{CX) 

= H(K)+I(X;C). (4.4) 

This argument shows that if the key is much smaller than the message, then the quantum 
mutual information between the message and the ciphertext is large, it is in fact at least 
the size of the message minus the size of the key. It is basically the same argument that 
Shannon used to prove that any perfect encryption scheme has to use a key of size at least 
the message size [Shannon, 1949]. The reason this argument fails for the classical mutual 
information I c is that the measurement to be made on the ciphertext to decode correctly 
depends on the value taken by the key. So replacing the system C by the outcome I of some 
fixed measurement on C, the inequality H(IK) > H(IKX) does not hold. 

One could compare a locking scheme to an entropically secure encryption scheme 
|Dodis and Smith 2005 Russell and Wang, [2002 |. These two schemes achieve the same 
task of encrypting a high entropy message using a small key. The security definition of a 
locking scheme is strictly stronger. In fact, for a classical eavesdropper (i.e., an eavesdropper 
that can only measure) an e-locking scheme is secure in a strong sense. This additional 
security guarantee comes at the cost of upgrading classical communication to quantum 



communication. With respect to quantum entropically secure encryption [Desrosiers 2009 



Desrosiers and Dupuis[ 2010 1, the security condition of a locking scheme is also more 



stringent (see Section 4. 1 .3 for an example of an entropically secure encryption scheme that 
is not e-locking). However, a quantum entropically secure scheme allows the encryption of 
quantum states. 

We mentioned that if the adversary has no quantum storage, then a message that is 
transmitted using a locking scheme can be used in subsequent protocols. In the following 



4.1. Locking classical information in quantum states 



48 



proposition, we show that it is still safe to re-use the transmitted message provided the 
adversary is only allowed to have a small quantum memory. We follow the same technique 



as in [Hallgren et al. 2010, Corollary 2] 



Proposition 4.1.2. Let £ be an e-locking scheme and T ' : C — >■ YQ be a (eavesdropping) 
completely positive trace preserving map that sends all states £(x,k) to states on YQ that 
are classical on Y. Then, we have 

A(lo xyq ,lo x ®u yq ) <t-c^d~ Ql 

where u XKYQ = d J dK k \x)(x\ <g> \k)(k\ <8> T{E (x, k)) and c is a constant. 

Proof The idea is to use the fact that there exists a measurement that can be used 
to distinguish any pair of states reasonably well. More precisely, we use a result of 



Ambainis and Emerson [2007 Theorem 4] that states that there exists a measurement map 
M : C(Q) — > C(Z) such that for any w 1; uj 2 , 



- JV(w 2 )||i > cd^ 2 ^ - wald 



(4.5) 



for some constant c; see also Radhakrishnan et al. [2009 1. We will need a slightly more 



general statement that applies to non-normalized states: for any p 1 > p 2 > 0, 

IbiAT(wi) -PtMMWi > c/4:-do 1/2 \\uJi -co 2 \\i. 



(4.6) 



In order to prove this, we proceed as in [Hallgren et al. , 2010[ Corollary 2]. We denote by 
{pi(z) } z and {fi 2 (z)} z the outcome distributions for measurement J\f on the states ui\ and 
co 2 . We have 

\\piAf(ui) -pzAfMWi = ^2\pipi(z) -p 2 fi 2 (z)\ 

z 

= Yl \p^( z ) - ^( z )) + (pi - P2)M*)i . 



We now lower bound this expression in two different ways. First, we have 

YiPlMz) -H2(z)) + (pi -p 2 )fi 2 {z)\ > Y IPlOlO) - »2{z))\ 

\\px- P2W1 

= Pl n > 
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using the fact that fj,i and ji 2 are probability distributions. Second, we have 



J^IPiOiO) -M2O)) + (pi -^2)^2(^)1 > 



^Pi(M z ) - ^(z)) + (pi - 



Thus, 



|| (pi -P2V2II1 , Pi cd Q 1/2 \\ui -w 2 ||l 



> 



> cd Q 1/2 /4: ■ \\piut - p2W a ||i. 



In the second inequality, we used the property (|4.5|) of the measurement A/" and in the third 



inequality, we used the triangle inequality. This proves property ( ]4.6| ). 

We are now in a position to prove the desired result. Let tu XYQ = J2 X y \ x )( x \ ® 

PY\x(y\xY 



u^ y . We have 



A{cu XY Q,cu x ®u YQ ) 



Pr|x(j/k) 



C^X ^ d X 



Pyix(v\ x ) 

— ^ — u X;V , we can write 



Letting u y = 



d 



< 



1 ^-^ Ad A , , . 

- Y\ -^-A(p Ylx (y\x)N(u x>y ),p Y (y)Ar(u; y )) 

x ^y ° 



A(pxYZ,PX X py Z ) 



where Y, Z are obtained by performing the measurement defined by (id y <8> Af Q ^ z ) o 
J 7 on the state if). We conclude by using the fact that £ is e-locking so that 

A(pxyz,Px x < e. □ 
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Proposition 4.1.2 is interesting for the scheme presented in Corollary 4.1.7 below, for 
which the sender and the receiver do not use any quantum memory. One could then use such 
a scheme for key distribution in the bounded quantum storage model, where the adversary is 
only allowed to have a quantum memory of logarithmic size in n but can have an arbitrarily 
large classical memory. Note that even though this is a strong assumption compared to 



the unconditional security of BB84 [Bennett and Brassard 1984], one advantage of such a 



protocol for key distribution is that it only uses one-way communication between the two 
parties. In contrast, the BB84 quantum key distribution protocol needs interaction between 
the two parties. 

Another remark about Definition 14.1.11 is that we used the statistical distance between 
Px\[i=i] and px instead of the mutual information between X and / to measure the 
information gained about X from a measurement. Using the trace distance is a stronger 
requirement as demonstrated by the following proposition. 

Proposition 4.1.3. Let e e [0, 1/2] and £ : [2 n ] x [t] — > S(C) be an e-locking scheme. 
Define the state 

_! t 2 

XKCK' 



td 

k=l x=l 



Then, 



I C (X;C) U < 8en + 2h 2 (2e) and l c (XK; CK% = n + log t. 



Proof First, we can suppose that the measurement performed on the system X is in the 
basis {la;)}^. In fact, the outcome distribution of any measurement on the X system can be 
simulated classically using the values of the random variables X. 

Now let I be the outcome of a measurement performed on the C system. Using Fannes' 



inequality (a special case of Lemma 2.2.5 ), we have for any i 



H(X)-H(X\I = i) < 8A(p x ,Px|[/=i]) -2h 2 (2A(p x ,px\[i=i])) 
< 8en + 2h 2 (2e) 

using the fact that £ defines an e-locking scheme. Thus, 

I(X; /) = H(X) - Pr U = H ( X I J = ») 

i 

< 8en + 2h 2 {2e). 
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As this holds for any measurement, we get 1 C (X; C% < 8en + 2h 2 (2e). □ 

The trace distance was also used in Dupuis [ 2010[ , Dupuis et al. ]2010b | to define a 
locking scheme. To measure the leakage of information about X caused by a measurement, 
they used the probably more natural trace distance between the joint distribution of pix,i) 
and the product distribution px X Pi- Note that our definition is stronger, in that for all 



outcomes of the measurement i, A (px\[i=i] , Px) < e whereas the definition of Dupuis et al. 



]2010b | says that this only holds on average over i. The condition of Dupuis et al. [2010b | 
is probably sufficient for most applications but our techniques naturally achieve the stronger 
form without degrading the parameters. We should finally note that the trace distance 
condition cannot be much stronger than the condition on the classical mutual information. 
In fact, using Pinsker's inequality, we can upper bound the trace distance using the mutual 
information: 



HP(X,I),PX x PI ) < y/l(X;I)/2. 
For a survey on locking classical correlations, see|Leung] p009 |. 



Other related work 



In a cryptographic setting, Damgard et al. [2004| used ideas related to locking to develop 
quantum ciphers that have the property that the key used for encryption can be recycled. In 



Damgard et al. [2005], they construct a quantum key recycling scheme (see also Oppenheim 



and Horodecki [ 2005] ) with near optimal parameters by encoding the message together with 



its authentication tag using a full set of mutually unbiased bases. 



4.1.2 Locking using a metric uncertainty relation 

The following theorem shows that a locking scheme can easily be constructed using a metric 
uncertainty relation. 

Theorem 4.1.4. Lett G (0, 1) and{Ui, . . . , U t } be a set of unitary transformations of A® B 
that satisfies an e-metric uncertainty relation on A, i.e., for all states G AB, 

1 * 
1 k=i 

Assume d A = 2 n . Then, the mapping £ : [2 n ] x [t] — > S (AB) defined by 
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is e-locking. Moreover, for all £ 6 [0, n] such that 2 n > e, it is (£, 2l _* )-locking. 



Remark. Figure 4j] illustrates the locking scheme. The state that the encoder inputs in the 



B system is simply private randomness. The encoder chooses a uniformly random b e [ds] 
and sends the quantum state U k \x) A \b) B . Note that b does not need to be part of the key 
(i.e., shared with the receiver). This makes the dimension d = d^ds of the ciphertext larger 
than the number of possible messages 2 n . If one insists on having a ciphertext of the same 
size as the message, it suffices to consider b as part of the message and apply a one-time pad 
encryption to b. The number of possible values taken by the key increases to t ■ dn- 



Encoding 



Decoding 



b e u [d B ] — ► - 

Private randomness (not shared) 

x e {0, i} n 

Message 



A 



Ul -£(x,k) 



[t] 
Key 



- Ui 



B 



A 



"5/ 



Figure 4.1: Illustration of the locking scheme described in Theorem 4.1.4 



Proof First, it is clear that different messages are distinguishable. In fact, for i/i' and 
any k, 



A(£(x,k),£(x',k)) = Ui 



\x)(x\ A Cg) 



d% 



\x'}(x'\ A ® 



d 



B 



1. 



We now prove the locking property. Let X be the random variable representing the message. 
Assume that X is uniformly distributed over some set S C [d^ of size |5| > 2 e . Let K 
be a uniformly random key in [t] that is independent of X. Consider a POVM {Mj} on 
the system AB. Without loss of generality, we can suppose that the POVM elements Mj 
have rank 1. Otherwise, by writing Mj in its eigenbasis, we could decompose outcome i 
into more outcomes that can only reveal more information. So we can write the elements 
as weighted rank one projectors: M { = £i|ej)(ej| where & > 0. Our objective is to show 
that the outcome / of this measurement on the state £ (X, K) is almost independent of X. 
More precisely, for a fixed measurement outcome / = i, we want to compare the conditional 
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distribution px\[i=i] with p x . The trace distance between these distributions can be written 

as 



- |Pr {X = x\I = i] - Pr {X = x} 



(4.7) 



Towards this objective, we start by computing the distribution of the measurement 
outcome /, given the value of the message X = x (note that the receiver does not know 
the key): 



t d,B 



Pr {/ = i\X = x} = -5- E tr [UkfoMUl ■ \x)(x\ A ® \b)(b\ B ] 



td_ 

A 

td B 

A 

ids 



k=l 6=1 
t d B 



B 



k=l 6=1 

t d B 



J2J2\(x\ A (b\ B U k \e t }[ 



dn t 



k=l 6=1 

t 



k=l 



Since X is uniformly distributed over S, we have that for all x e 5 



Pr{X = x|/ = i} 



Pr{X = x}Pr{/ = i|X = a;} 
£ x , eS Pr {X = x'} Pr {/ = i\X = x'} 



:m-EkP^ 



, x 



(4.8) 



Observe that in the case where X is uniformly distributed over [2™] (S = [2 n ]), it is simple 
to obtain directly that 



A{px\[i=i],Px) = 



x=l 



t y]PUk\ei)( X ) n 
k=l 



< e 
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using the fact that {Uk} satisfies a metric uncertainty relation on A. Now let S be any set of 
size at least 2 e and let a — \ ^2 x 'es 2^kPu k \ ei )( x ')- We tnen bound 



d A -i 



U, A — L 

-^2\Pr{X = x\I = i}- Pr {X = x} 



x=0 



(!/()• £*<|„)(*) 1 



2 

2ft ^ t ^ 

xes fc=i 



151 



2ft t 



\x<=S 



1 



+ 



a 

LSI 



We now use the fact that {Uk} satisfies a metric uncertainty relation on A: we get 



t 2 



~ t ^ 2 



2" 



< e 



and 



\S\ 



— q; 



J5| 

2 n t 



1 * 

~ 7 



|ei> 



[X 



As a result, we have 



x'eS k=l 
2e 



< e. 



A(p x \[i=n,px) < 



ft 



(4.9) 



Using we have ft > |S|2~ n - e > 2 l ~ n - e. If e < 2^ n , we get 

A/ \ 26 

A(p X | [J=i] ,p x ) < 2€ _ w _ £ - 

In the general case when X has min-entropy £, the distribution of X can be seen as a 
mixture of uniform distributions over sets of size at least 2 £ . So there exist independent 
random variables J GN and {Xj} uniformly distributed on sets of size at least 2 l such that 
X = Xj. One can then write 

- l Pr { X = X \ J = - Pr {X = x}| 

X 

= l Pr { 3 = ft ( Pr i X i = x\I = i ) J = j}-Vr {X 3 = x\J = j})\ 



< 



2e 

2 £ - n - e 
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□ 

Using Theorem |4.1.4| together with the existence of metric uncertainty relations 



(Theorem 3.3.2), we show the existence of e-locking schemes whose key size depends only 



on e and not on the size of the encoded message. 

Corollary 4.1.5 (Existence of locking schemes). Let n be a large enough integer and 
e G (0, 1). Then there exists an e-locking scheme encoding an n-bit message using a key of 
at most 2 log(l/e) + 0(loglog(l/e)) bits into at most n + 21og(18/e) qubits. 

Remark. Observe that in terms of number of bits, the size of the key is only a factor of two 
larger (up to smaller order terms) than the lower bound of log(l/(e + 2~ n )) bits that can 
be obtained by guessing the key. In fact, consider the strategy of performing the decoding 
operation corresponding to the key value 0. In this case, we have Pr {X = i\I = i} > 
Pr {K = 0} = l/t. Thus, A (p x]I=i , p x ) > 1/t - 2~ n . 

Recall that we can increase the size of the message to be equal to the number of qubits of 
the ciphertext at the cost of increasing the key size to at most 4 log(l/e) + 0(log(log(l/e)). 

Proof Use the construction of Theorem |3.3.2| with dA = 2 n and ds = 2 q such 



that 2"- 1 < 9/e 2 < 2 q and d = d A d B . Take t = 2 P to be the power of two with 

2p-l < 4-18clog(9/e) □ 



To construct (£, e)-locking schemes with £ < n, it suffices to use Theorem 3.3.2 with 
say e' = 2 £ ~ n e/4. In this case, we obtain a key of size 0((n — £) + log(l/e)). We note that 
this increase in the key size is unavoidable because of the following proposition. 

Proposition 4.1.6. Assume £ defines an (£, e)-locking scheme with e < 1/4 and a key of 
size log t. Then log t > n — £ — 2. 

Proof We proceed as in the proofs of lower bounds on the key size in entropic security 



|Dodis and Smith 2005 1. The idea is to show that if £ is an (£, e) -locking scheme, then it 
can be used to build an encryption scheme for messages ofn — £ bits that has the following 
properties. Given the secret key, the encryption of w and w' are perfectly distinguishable, 
but without the key, the encryption of w and w' are almost indistinguishable. For such a 



scheme, we show in Proposition A. 3.1 that the key size is at least the size of the message 
logt >n-£-2. 

Define the random variables X w for w G {0, l} n ~ £ which are uniformly distributed on 
{w} x {0, Our encryption scheme encrypts w using the key k into £(X W , k). First, 
clearly a decoder having the key can determine w using £(X W , k). Second, we show that 



4.1. Locking classical information in quantum states 



56 



the ciphertexts corresponding to w and w' ^ w are almost indistinguishable: 

A(p w ,p w >) < 2e, 



(4.10) 



where p w = AiYl 



£{w -y,k). To show this we let A be a positive operator such 



k2 l t-'ke[t],ye{o,i} 
that A(p w , p w >) = ti[A(p w — p w i)] (see equation ( |2.5[ )). 

We then have 



tr[A(p w - p wl )\ < 




tr 



A 



Pw + Pw' 



km J 



fee [i] 

Pw + Pw' 



*£[*] / 



^e{w),«j'}x{o,i} 4 

= 2 Pr{Z = ^}|Pr{/ = 0}-Pr{/ = 0|Z = 2}| 

2£{W,W'}X{0,1}^ 

= 2A(p ZI ,p z x pj) , 

where Z is uniformly distributed on {w,w'} x {0,1}^ and I is the outcome of the 
measurement {A, id — A} performed on the state £(Z, K). Inequality ( |4.10| ) follows from 
the fact that 8 is an (£, e) -locking scheme. 

Using Proposition A.3.1[ we conclude that logt > n — t — 2. □ 

The following corollary gives explicit locking schemes. We mention the constructions 
based on Theorems |3.4.6 and 3.4.7 Of course, one could obtain a tradeoff between the key 
size and the dimension of the quantum system. 

Corollary 4.1.7 (Explicit locking schemes). Let 5 > Obe a constant, nbea positive integer, 
e G (2~ c ' n , 1) (d is a constant independent ofn). 

• Then, there exists an efficient e-locking scheme encoding an n-bit message in a 
quantum state ofn' < (4 + 8)n + 0(log(l/e)) qubits using a key of size 0(log(n/e)) 
bits. In fact, both the encoding and decoding operations are computable using a 
classical computation with polynomial running time and a quantum circuit with only 
Hadamard gates and preparations and measurements in the computational basis. 
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There also exists an efficient e-locking scheme £' encoding an n-bit message in a 
quantum state ofn qubits using a key of size 0(log(n/e) ■ log n) bits. £' is computable 
by a classical algorithm with polynomial runtime and a quantum circuit of size 
0(n polylog(n/e)). 



Proof For the first result, we observe that the construction of Theorem 4.1.4 encodes the 



message in the computational basis. Recall that the untaries Uj. of Theorem 3.4.6 are of the 
form Uk = PkVk where Pk is a permutation of the computational basis. Hence, it is possible 
to classically compute the label of the computational basis element Pl\x)\b). One can then 
prepare the state Pl\x)\b) and apply the unitary to obtain the ciphertext. The decoding is 
performed in a similar way. One first applies the unitary V k , measures in the computational 
basis and then applies the permutation Pk to the n-bit string corresponding to the outcome. 
For the second construction, we apply Theorem 3.4.7 withn' = n+c' [loglogn + log(l/e)] 



for some large enough constant c'. We can then use a one-time pad encryption on the input 
to the B system. This increases the size of the key by only d [log log n + log(l/e)] bits. □ 

As mentioned earlier (see equation ( |4.1[ )), explicit states that exhibit locking behaviour 



have been presented in DiVincenzo et al. [2004|. However, this is the first explicit 
construction of states cu that achieves the following strong locking behaviour: for any 5 > 0, 
for n large enough, the state uo XCK verifies I C (X; C% < 5 and I C (X; CK) U = n + log d K 
where K is a classical 0(log(n/5))-bit system. This is a direct consequence of Corollary 
4.1.7 taking e = <5/(20n), and Proposition 4.1.3 We should also mention that Konig et al. 



1 2007 1 explicitly construct a state exhibiting some weak locking behaviour. We summarize 



the different locking schemes in Table 4.1 



4.1.3 Impossibility of locking using Pauli operators 

The objective of this section is to give an example of a construction that is not a locking 
scheme to illustrate what is needed to obtain a locking scheme. The 2x2 Pauli matrices are 
the four matrices {id, a Xl a Z) a x a z } where 

| and a z = ( 
10/ I -1 



a, 



For bit strings m,d6 {0, 1}", we define the unitary operation a^a v z on (C 2 ) by 



°x a z = x z 



X z 



It was shown by Ambainis et al. [2000| that one can encrypt an n-qubit state \ip) perfectly 
using a key (U, V) of 2n bits. To encrypt \ip), one simply applies o u £ oX to where U 
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Table 4.1: Comparison of different locking schemes, n is the number of bits of the message. 
The information leakage and the size of the key are measured in bits and the size of 
the ciphertext in qubits. Efficient locking schemes have encoding and decoding quantum 
circuits of size polynomial in n. The locking schemes of the first and next to last actually 
have encoding circuits that are in principle implementable with current technology; they 
only use classical computations and simple single-qubit transformations. It should be noted 
that our locking definition is stronger than all the previous definitions. Note that the variable 
e can depend on n. For example, one can take e = n/n to make the information leakage 
arbitrarily small. The symbol O(-) refers to constants independent of e and n, but there is a 
dependence on 5 for the next to last row. The symbol ll(-) refers to 0(log log(-)). 





Inf. leak. 


Key 


Ciphertext 


Efficient? 


DiVincenzo et al. 


n/2 


1 


n 


yes 




Hay den et al. 




3 


41og(n) 


n 


no 




Dupuis et al. 




en 


21og(n/e 2 ) + 0(l) 


n 


no 


Corollary 


4.1.5 




en 


21og(l/e)+ll(l/e) 


n + 2 flog(9/e)l 


no 


Corollary 


4.1.5 




en 


41og(l/e)+ll(l/e) 


n 


no 


Corollary 


4.1.7 




en 


O s (\og(n/e)) 


(4 + 5) ■ n 


yes 


Corollary 


4.1.7 




en 


0(log(n/e) log(n)) 


n 


yes 



59 



CHAPTER 4. Uncertainty relations: Applications 



and V are uniformly distributed on {0, l} n . This can be thought of as a quantum version 
of one-time pad encryption. Of course, this encryption scheme also defines a (0, 0)-locking 
scheme, but the size of the key is 2n bits. Recall that we want to use the assumption that the 
message is random to reduce the key size to 0(polylog(n)) bits. 



Ambainis and Smith [2004| showed that to achieve approximate encryption, it is 
sufficient to choose the key uniformly at random from a well-chosen subset S C {0, l} 2n of 
size only 0(n 2 2 n ). Such pseudorandom subsets are called 5-biased sets and have also been 



used to construct entropically secure encryption schemes [Desrosiers and Dupuis, 2010 



Dodis and Smith, 2005 1. For example, Desrosiers and Dupuis [ 2010[ showed that it is 
possible to encrypt a uniformly random state by applying a^aj where (U, V) is chosen 



uniformly from a set S C {0, l} n of size 0(n ) (see [Desrosiers and Dupuis, 2010, Dodis 



and Smith, 2005] for a precise definition of entropic security). Such a set of transformations 
can seem like a good candidate for a locking scheme. The following proposition shows 
that this scheme is far from being e-locking. Note that this also shows that the notion of 
entropic security defined in JDesrosiersj 2009[ Desrosiers and Dupuis , [20 10 1 is weaker than 
the definition of locking. 

Proposition 4.1.8. Consider an e-locking scheme £ of the form £(x, k = (u, v)) = a^a v \x) 



where the message x £ {0, l} n and the key u, v £ {0, l} n (see Definition 4.1.1). Suppose 
the secret key K is chosen uniformly from a set S C {0, l} 2n . Then \S\ > (1 — e)2 n . 

Proof Let X be the message (X is uniformly distributed over {0, l} n ) and (U, V) be 
the key. The key is uniformly distributed on S. We show that a measurement in the 
computational basis gives a lot of information about X . Let / be the outcome of measuring 
8(X, K) in the computational basis. We have for x, i £ {0, l} n , 

Pr {X = x\I = i} = Pr {I = i\X = x} 

1^1 E K*kX»i 2 - 



Observing that the term |(«|c"c^|^}| 2 £ {0, 1}, we have that for any fixed i, there are 
at most \S\ different values of x for which Pr {X = x\I = i} > 0. Thus, defining 
T = {x£ {0, l} n : Pr {X = x\I = i} = 0}, we have 



A ( P x\[i=i],Px) >Pr{X£T}- Pr {X £ T\I = i} 
By the definition of a locking scheme, we should have 

A(p X \[i=i],Px) < e 



|T| 
2 n 



> 1 



\S\ 
2 n 
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which concludes the proof. □ 
4.1.4 Error-tolerant information locking 



The first protocol in Corollary 4.1.7 can in principle be implemented using current 
technology. We say "in principle" because a locking scheme as defined here does not allow 
for any error in the transmission of the ciphertext. Can we construct a locking scheme that 
can tolerate a reasonable rate of errors? 

One simple approach to build a protocol that tolerates errors is to use a quantum error 
correcting code (QECC) to encode the ciphertext. Depending on the properties of the code, 
this would allow the receiver to correct some fraction of errors. Moreover, the security 
is preserved because an eavesdropper could perform an encoding into a QECC as part of 
his attack. Thus, it is possible to make any locking scheme error-tolerant provided we can 
perform encoding and decoding operations for a good QECC. Unfortunately, the encoding 
and decoding maps of interesting quantum error correcting codes are beyond the reach of 
current technology. But note that our objective is not necessarily to recover the quantum 
ciphertext correctly, we only want to be able to recover the classical message. Can we 
construct a locking scheme that can tolerate a reasonable rate of errors and that can be 
implemented with current technology? 

In the remainder of this section, we show that some natural class of error tolerant 
protocols cannot be good locking schemes. Consider a locking scheme of the following 
form. The key is written as k e [t] and the message x G {0, l} n is locked in the following 
way: 

• A classical (possibly randomized) function determined by the key k is applied to x . 
x is mapped to Pk(x, r) e {0,l} n , where r is a random string private to Alice. 

• The bitstring Pk(x, r) is then encoded in a code Ck possibly depending on the key k. 
The codes Ck are assumed to have minimum distance a for all k. This bitstring is 
denoted z = Ck(Pk(%, r )) E {0, l} m . We denote by C& the set of bitstrings in this 
code. 

• A quantum encoding of the form H Vk where Vk E {0,1 } m is performed on the 
computational basis element \Ck(Pk(x, z))). 

We start with a lemma that says that given a set of vectors that are almost orthogonal, 



they can be well approximated by orthogonal vectors. It was first proven by Schonemann 
P%6| ; see also | |Kempe and V5EeE| |20T0] Claim 20]. 
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Lemma 4.1.9. Let s < d and \ux), . . . ,\u s ) G C d &e unit vectors such that 
s S«y K^il^i)! 2 — e TTicm ^ere exist orthogonal unit vectors \vi), . . . , |i> s ) swc/z ?/ia? 

?EJk>-k>ll!<e. 

Proof We start by fixing a set of orthonormal vectors \wi), . . . ,\w s ) such that the span 
of \u\), . . . , |tt s ) is included in the span of |u>i), . . . , \w s ). We then define the matrix X 
whose columns represent the vectors \ui) using the vectors \wi), . . . , \w s ). Write the SVD 
decomposition of X as X = U"EV^ and let the singular values of X be ai, . . . , a s . We have 

- a?) 2 = ||id - EtE|| 2 = ||id - XtX|| 2 = ^ |(«,k-}| 2 + - 

i6[s] ij^j ie[s] 

< se 

by assumption. We now define Y = UV\ look at the columns of this matrix and call these 
vectors \vi) (of course the underlying basis used is still \wi)). We have by writing the desired 
expression in the basis \wi) and then multiplying by W on the left and V on the right: 

II k> - k) 111 = II* - y\\1 = ||s - id|H = - 1) 2 

i j 

<^(l-a,) 2 (l + a t ) 2 < S e. 

□ 



Proposition 4.1.10. For any encoding of the form above such that the random variable 
(Z,V) = (Pk(X,R),vk) is uniformly distributed on its support, there exists a 
measurement on the ciphertext that gives an outcome I such that 

1(1; X) > (1 - 16 ■ t2- a+1 )n - log* - 2, 

provided t2- a+1 < 1. 

Remark. Recall that we want t to be sub-exponential (even polynomial) in n. Moreover, to 
be able to correct a constant fraction of errors, we want the minimum distance a to be linear 
in n'. In this case, t2~ a+l 1 and the measurement given by the proposition completely 
breaks the locking scheme. □ 



Proof We will apply Lemma 4.1.9 to the set of vectors {H v \z) : (z,v) G S} with 



S = {(z,v) : 3k : z G Ck,v = Vk}. Note that a pair (z,v) that appears for different 
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values of k is counted only once. Fix any z' and v' (not necessarily in S). We have 

\w\h«h*>\z)\*= i<4*>i 2 + E \W\H V ' +V *\z)\ 2 

(z,v k )eS,(z,v k )^(z',v') v k =v',z^z' v k ^v',zeC k 

= 0+ \{z'\H v ' +Vk \z)\ 2 (4.11) 

v k ^v',zec k nB Vk+v ,(z') 

where B Vk+v /(z') = {y G {0, l} m : ?/; = z[ whenever (v k + t/)j = 0}. Observe that for 
all z and v , \B v (z)\ < 2 W( ^ and in this case w(vk + v') = d H {vk, v'). We now fix some k 
such that Vk ^ v' and bound the size of Ck H B Vk+v / assuming that C*. is a code of minimum 
distance a. The strings of fl B Vk+v i agree on 2 n ~ dH ^" k,v > bits. This means it induces a 
code of minimum distance a on strings of length dn{vk, v'). Using the Singleton bound, we 
get 

\c k nB Vk+v ,\ < 2 d *(«*.«')-a+l. 

To bound the expression in ( PH) , we observe that | (^if"'"^ |z) | 2 < 2^^'). Thus, for 
a fixed Ufc, 

z£C k nB Vk+v ,(z>) 

< 2~ a+1 . 

As a result, we can bound the average over (V, t> ') G 5 

^ E E i</i^iz>i a <*.2- 

' ' (2',«')eS(2,w)es,(z,i))/(z',o') 



Q + l 



Using Lemma 4.1.9 for the set of vector {H v \z} : (z,v) G S*}, we obtain a set of 
orthonormal vectors \w Z:V ) for (z, i>) G 5 such that r|r J2( z u)eS — l"" 7 ^) 111 < £2~ Q+1 . 

We can rewrite this inequality as 

^ Re(w Z;V \H v \z) >l-t2- a+l . 

Using the Cauchy-Schwarz inequality, we get (^2 zv Re(w Z:V \H v \z)) 2 < \S\ ■ 
J2zv( Re ( w z,v\H v \z)) 2 . It follows that 



^ \(w z , v \H v \z)\ 2 > ± ■ ± ■ I MvzAH v \z) 

> (1 -t2- a+1 f. (4.12) 



151 V ~ |5| IS, , 
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The attack on the locking scheme is defined by the projective measurement of the 
orthonormal set {\w zv )}r zv \ E s. Note that this is a valid attack because this set does not 
depend on the private randomness r and only uses the description of the protocol (the codes 
Ck and the bitstrings v k ). Let / be the outcome of the measurement (only the z part, so more 
precisely we perform the projective measurement whose elements are {J2 V \w z>v ){w ZjV \} z ). 
We have 

Pr{/ = Z} = E x , r>k I \(w Ck (p k (x,r))y\H Vk \C k (P k (x,r)))\' 

[v':(C k (P k (x,r)),v')eS 

= J2Pr{Z = z,V = v} \MH v \z}\ 2 

z,v v':(z,v')£S 
z,v 

' ' (z,v)eS 
> (l-t2- a+1 ) 2 . 

Here, we used the assumption that Z, V is uniformly distributed on its support so that 
Pr {Z = z, V = v } = l/\S\. This condition is satisfied for example by the scheme of 



Corollary 4.1.7 It follows that \\\p X i - Pxz\\i < 2t2~ a+1 . 



I(J;X)=H(X)-H(X|J) 

> H(X) - H(X\Z) - 4 ■ At2- a+1 n - 2h 2 {At2~ a+l ) 
>n- m2- a+1 n - (H(X\ZK) + H(K)) - 2h 2 (At2- a+1 ) 
= n- 16t2- a+1 n - log t - 2/i 2 (4t2" Q+1 ). 



In the first inequality, we used the Alicki-Fannes inequality (Lemma 2.2.5). For the second 
inequality, we used the fact that H(X\Z) < H(X\ZK) + H(K) and for the last equality, 
we used the fact that given Z and K, we can decode X so that H(X\ZK) = 0. □ 

This result says that if we want to build a locking scheme with a small key that can 
be implemented with current technology and that tolerates some errors, we should look for 
schemes that do not lie in the class described above. However, if a key of size cn for some 
constant c < 1 is acceptable (where n is the size of the message), it is possible to construct 
a locking scheme that is tolerant to errors. In fact, we could for instance after applying the 
permutation to the n-bii message together with the private random string obtaining a bit 
string z of length roughly An, compute some parities of z. Let y denote the string of parities 
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obtained. As in the first protocol of Corollary 4. 1 .7 Alice then encodes z by performing 
some Hadamard gates according to the key and sends this ciphertext to Bob. In addition, 
Alice uses another part of the key to encrypt y (using a one-time pad) and sends it to Bob. 
Using the key, Bob can recover z' a noisy version of z and can recover y perfectly (as it is 
sent through a classical channel). Using z' and y, Bob can recover z provided z' didn't have 
too many errors. 

To obtain a smaller key size, one idea is to use the method described above as a key 
expansion procedure and repeat it many times. Typically the number of times we would 
like to expand the key is O(logn), and it is thus possible to choose independently the 
permutation and Hadamard that are be applied at each step. But it seems difficult to analyse 
how these protocols compose. It is not clear what kind of information can be obtained from 
a measurement that acts on the big protocol. 

4.1.5 Quantum hiding fingerprints 



In this section, we show that the locking scheme of Corollary 4.1.5 can be used to build 



mixed state quantum hiding fingerprints as defined by Gavinsky and Ito [2010|. A quantum 
fingerprint encodes an n-bit string into a quantum state p x ofn'<^n qubits such that given 
y E {0, l} n and the fingerprint p x , it is possible to decide with small error probability 



whether x = y [Buhrman et al. 2001 1. The additional hiding property ensures that 



measuring p x leaks very little information about x. Gavinsky and Ito [ 20 1 1 used the 



accessible information^ as a measure of the hiding property. Here, we strengthen this 



definition by imposing a bound on the total variation distance instead (see Proposition 3.2.2 ) 



Definition 4.1.11 (Quantum hiding fingerprint). Let n be a positive integer, 5, e E (0, 1) and 

C be a Hilbert space. An encoding f : {0, l} n —> <S(C) together with a set of measurements 
{M y , id — M y } for each y E {0, l} n is a (5, e) -hiding fingerprint if 

1. (Fingerprint property) For all x E {0, l} n , tr [M x f{x)\ = 1 and for y x, 
tr [M v f(x)] < 6. 

2. (Hiding property) Let X be uniformly distributed on {0, 1}". Then, for any POVM 
{Ni} on the system C whose outcome on f(X) is denoted I, we have for all possible 
outcomes i, 

A(p x \{i=i]iPx) < e. 



'The accessible information about X in a quantum system C refers to the maximum over all measurements 
of the system C of 1(X; I) where I is the outcome of that measurement. 
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We usually want the Hilbert space C to be composed of 0(log n) qubits. |Gavinsky and 



Ito [ 2010[ proved that for any constant c, there exist efficient quantum hiding fingerprinting 



schemes for which the number of the qubits in system C is O(logn) and both the error 
probability 5 and the accessible information are bounded by l/n c . Here, we prove that the 
same result can be obtained by locking a classical fingerprint. The general structure of our 
quantum hiding fingerprint for parameters n, S and e is as follows: 



1 . Choose a random prime p E V Ut e,s uniformly from the set V n ,e t 



5- 



2. Set t = |"clog(l/e)e 2 ~|, (1a = p and d B = [c'/e 2 ] and generate t random unitaries 
Uf, ...,Uf acting onA®B. 

3. The fingerprint consists of the random prime p and the state (Uffi\x mod p) A \b) B 
where k E [t] and b E [ds] are chosen uniformly and independently. The density 
operator representing this state is denoted f(x) = A- Ylkb(^k)^\ x m od p)(x mod 
p\ A ® \b)(b\ B U p k . 

Observe that even though this protocol is randomized because the unitaries are chosen at 
random, it is possible to implement it with resources polynomial in n as the size of the 
message to be locked is O(logn) bits. In fact, one can approximately sample a random 
unitary in dimension 2°( logn ) using a polynomial number of public random bits. The mixed 
state protocol of |Gavinsky and Ito [ |2010[ | achieves roughly the same parameters. Their 



construction is also randomized but it uses random codes instead of random unitaries. For 



this reason, the protocol of Gavinsky and Ito [2010] would probably be more efficient in 
practice. 

Theorem 4.1.12. There exist constants c, d and c", such that for all positive integer n, 
5,e E (0, 1/4) if we define V n> s,e to be the set of primes in the interval [I, u] where 

(II i 2/i / \ \ !/0-9 
J- e s j +10n and u = l + {2n/5) 2 

and provided u < 2 n ~ 2 , the scheme described above is a (5, e) -hiding fingerprint with 
probability 1 — 2~ n ( n ^ over the choice of random unitaries. 

The proof of this result involves two parts. First, we need to show that the fingerprint of 
a uniformly distributed X E {0, l} n does not give away much information about X. This 
follows easily from Theorem 3.3.2 and Theorem |4.1.4| We also need to show that for every 



y E {0, l} n , there is a measurement that Bob can apply to the fingerprint to determine with 
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high confidence whether it corresponds to a fingerprint of y or not. In order to prove this we 
use Lemma 4. 1 .9 that gives a way of approximating a set of almost orthogonal vectors by a 
set of orthogonal vectors. 

Lemma 4.1.13. Let {Ui, . . . , U t } be a set of unitary transformations on AB that define 7- 
MUBs and d = dAd B . Define for y G [d^] the subspace F y = span{Ul\y)\b) , k G [t], b G 
[d B ]}. Then for any x G [gU], y j£ x, k <E [t] and bo G [d B ], 



tr 



where Uf is the projector on the subspace F. 

Proof Consider the set of vectors {Ul\y)\b)}ke[t],beld B ]- We have for all (k, b) ^ (k f , b'), 

\(y\{b'\U k ,Ul\y)\b)\<d^l\ 



and as a result, 



1 

td B 



\{y\{b'\U kl Ut\y)\b)\ 2 <td B d~\ 

(k,b)^(k',b') 



Using Lemma 4.1.9 we obtain a set of orthonormal vectors {\ek,b(y))}k,b such that 



^^\\Mv))-ul\y)\b)\\i<td B d^. 

3 k,b 



Note that {\ek t b(y))}k,b is an orthonormal basis for F y so we can write lip = 
Sfc b l e fc,fe(2/))( e fc,fc(z/)l- Now observe that, using the Cauchy Schwarz inequality and the 
fact that the vectors have unit norm, we have | (ek,b{y)\Ul Q \x)\b ) \ < \ (y\(b\U k Ul o \x)\b ) \ + 
\\\ek,b(y)} ~ Ul\y)\b)\\ 2 . As a result, we have 

tr [n Fy Ul o \x)\bo) 



k,b 
k,b 



UkUtjx)\b )\ + \\\e k , b (y))-Ui\y)\b)\\, 



< td B d-^ + (td B fd^ + Y,\(v\mul\*)M ■ WMv)) - ul\y)\b)\\ 2 



k,b 



< ?>{td B ) 2 d-\ 
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□ 



Proof [of Theorem 4.1.12| We start by proving the hiding property. For any fixed p, 

def 

the random variable Z = X mod p is almost uniformly distributed on {0, . . . ,p — 1}. 
In fact, we have for any z G {0, . . . ,p — 1}, Pr {Z = z} < 2 . In other words, 
H min (Z) > logp — log(l +p2~ n ). Thus, using Theorem 3.3.2 and Theorem 4.1.4 we have 



that except with probability exponentially small in n (on the choice of the random unitary), 
the fingerprinting scheme satisfies for any measurement outcome i 



A(p z \[i=i],Pz) < 



2e 



< 4e 



l+p2- 



— € 



where / denotes the outcome of a measurement on the state f(X). Recall that we are 
interested in the information leakage about X not Z. For this, we note that the random 
variables X, Z, I form a Markov chain. Thus, 

A(p x \[i=i],Px) 

= \j2~Pr{Z = z\I = i}Pr{X = x\I = i,Z = z} 

x£{0,l} n z 

- Pr {Z = z) Pr {X = x\Z = z} 
= \^~Pr{Z = z\I = i}Pr{X = x\Z = z} 

2lg{0,l} n Z 

- Pr {Z = z) Pr {X = x\Z = z} I 

< J^|Pr {Z = z\I = i} -Pr{Z = z}\ ^ Pr {X = x\Z = z} 

z xe{o,i} n 

= A(p z \[i=i],pz) < 4e. 

This proves the hiding property. 

We now analyse the fingerprint property. Let x, y G [2 n ] and p be the random prime 
of the fingerprint. We define the measurements by M y = lip for all y € {0, l} n where 
H Fy is the projector onto the subspace F y = span{U^\y mod p)\b), k G [t], b G [d B ]}- If 
x = y, then f(x) is a mixture of states in span{£/|^|?/ modp)|6), k G [t],b G [(1b]}. Thus 
tr[M"/(x)] = 1. 

We now suppose that x ^ y. First, we have for a random choice of prime p G P ra , e ,5, 
Pr {x mod p = y mod p] = Pr {x — y mod p = 0} < 5/2 as the number of distinct 
prime divisors of x — y is at most n and the number of primes in [l,u] is at least 2n/S 
for n large enough. Then, whenever x mod p ^ y modp, Lemma |4. 1.13 with 7 = 0.9 
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gives 



tr [U F J(x)] < 3(td B ) 2 (d A d B ) 



-0.9 



, o /2 log 2 (l/e) 
< 3 • 4c 2 c' 2 „ 1 ' 



5^ 



c"log 2 (l/e) 



< S/2 



for c" large enough with probability 1 — 2~ n( - dAdB ^ = 1 — 2~ n ( n ) over the choice of the 
random unitaries (using Theorem 3.3.2). Finally, we get tr [11^/(3?)] < 5 with probability 

1 _ 2~ n ( n \ □ 



4.1.6 String commitment 

In this section, we show how to use a locking scheme to obtain a weak form of 



bit commitment [Buhrman et al. 2006 1. Bit commitment is an important two-party 



cryptographic primitive defined as follows. Consider two mutually distrustful parties Alice 
and Bob who are only allowed to communicate over some channel. The objective is to be 
able to achieve the following: Alice secretly chooses a bit x and communicates with Bob 
to convince him that she fixed her choice, without revealing the actual bit x. This is the 
commit stage. At the reveal stage, Alice reveals the secret x and enables Bob to open the 
commitment. Bob can then check whether Alice was honest. 

Using classical or quantum communication, unconditionally secure bit commitment 
is known to be impossible [ |Lo and Chau[ |1997[ |Mayers[ |1997[ . However, commitment 



protocols with weaker security guarantees do exist [Buhrman et al. 2006 2008, Damgard 



et al.[ |2005[ jSpekke ns and R udolph, |2001[ . Here, we consider the string commitment 



scenario studied in [Buhrma n et al.[ 2008[ Section III]. In a string commitment protocol, 
Alice commits to an n-bit string. Alice's ability to cheat is quantified by the number 
of strings she can reveal successfully. The ability of Bob to cheat is quantified by the 
information he can obtain about the string to be committed. One can formalize these notions 
in many ways. We use a security criterion that is similar to the one of Buhrman et al. [2008 1 
except that we use the statistical distance between the outcome distribution and the uniform 
distribution, instead of the accessible information. Our definition is slightly stronger by 



virtue of Proposition 4.1.3 For a detailed study of string commitment in a more general 



setting, see [ |Buhrman et al.[|2008| . 

Definition 4.1.14. An (n, a, /3)-quantum bit string commitment is a quantum communica- 
tion protocol between Alice (the committer) and Bob (the receiver) which has two phases. 
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When both players are honest the protocol takes the following form. 

• (Commit phase) Alice chooses a string X G {0,l} n uniformly. Alice and Bob 
communicate, after which Bob holds a state px- 

• (Reveal phase) Alice and Bob communicate and Bob learns X. 
The parameters a and (3 are security parameters. 

• If Alice is honest, then for any measurement performed by Bob on her state px, we 
have A (px,Px\{i=i]) < f where I is the outcome of the measurement. 

• If Bob is honest, then for all commitments of Alice: J2 x e{oi} n P x — 2™ where p x is 
the probability that Alice successfully reveals x. 



Following the strategy of Buhrman et al. |2008|, the following protocol for string 



commitment can be defined using a locking scheme £. 

• Commit phase: Alice has the string X G {0, l} n and chooses a key K G [t] uniformly 
at random. She sends the state £(X, K) to Bob. 

• Reveal phase: Alice announces both the string X and the key K. Using the key, Bob 
decodes some value X'. He accepts if X = X' . 

A protocol is said to be efficient if both the communication (in terms of the number of qubits 
exchanged) is polynomial in n and the computations performed by Alice and Bob can be 



done in polynomial time on a quantum computer. The protocol presented in Buhrman et al. 
[2008] is not efficient in terms of computation and is efficient in terms of communication 
only if the cost of communicating a (random) unitary in dimension 2™ is disregarded. Using 



the efficient locking scheme of Corollary 4X71 we get 



Corollary 4.1.15. Let n be a positive integer and (3 G (n2~ cn ,n) (c is a constant 
independent of n). There exists an efficient (n,clog(n 2 //3), f3)-quantum bit string 
commitment protocol for some constant c independent of n and (3. 



Proof We use the first construction of Corollary 4.1.7 with e = /3/n. If Bob is honest, 



the security analysis is exactly the same as in Buhrman et al. [2008 1. If Alice is honest, the 



security follows directly from the definition of the locking scheme. □ 
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4.1.7 Locking entanglement of formation 



The entanglement of formation is a measure of the entanglement in a bipartite quantum state 
that attempts to quantify the number of singlets required to produce the state in question 
using only local operations and classical communication [Bennett et al. 1996 1. For a 
bipartite state p XY , the entanglement of formation is defined as 



E f (X;Y) p = mm VftHpO*. 

{pi,m)} . 



(4.13) 



where the minimization is taken over all possible ways to write p XY = J^iPilV'iXV'il with 
^2iPi = 1. Entanglement of formation is related to the following quantity: 



i-(x ; r) 



maxI(X: /) 

{Mi} 



where the maximization is taken over all measurements {Mi} performed on the system 
Y' and I is the outcome of this measurement. This quantity is sometimes referred to as 
a classical correlations between X and Y [[Henders on and Vedral[ |2001| . As mentioned 
previously, when the system X is classical, this correlation measure is called accessible 
information. Koashi and Winter [2004 1 showed that for a pure state \p) XYY ' , a simple 
identity holds: 

E f (X;Y) p + I^(X;Y') p = H(X) p . 
Let {Ui, . . . , U t } be a set of unitary transformations of A <g> B ~ C and define 



(4.14) 



\p) 



ABCA'K 



\ftd~Ad_ 



B 



\a) A \b) B {ul\a)®\b)) C \a) A '\k) K 



ke[t],ae[d A ],be[d B ] 

If {Ui, . . . , U t } satisfies an e-metric uncertainty relation, then we get a locking effect using 
Theorem 4.1.4 and Proposition 4.1.3 In fact, we have V~(A; C) p < 8elog<iA + 2h 2 (2e) 
and V~(A; CK) = \ogd A . Thus, using ( |4.14p , we get 

E f (A; A'BK) P = H(A) P - I<~(A; C) p > (1 - 8e) \ogd A - 2h 2 (2e) 

and discarding the system K of dimension t we obtain a separable state 

E f (A;A'B) p = 0. 

Explicit states exhibiting weak locking behaviour of the entanglement of formation have 
been presented in Horodecki et al. [ 2005a[ . Strong but non-explicit instances of locking 
the entanglement of formation were derived in|Hayden et al.|p006[|. Here, using Theorem 



3.4.6 we obtain explicit examples of strong locking behaviour. 
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One could also consider other quantities related to classical correlations, such as the 
popular quantum discord [Ollivier and Zurek, 2001 1, and they would exhibit a similar 
locking behaviour. 



4.2 Quantum identification codes 



Consider the following quantum analogue of the equality testing communication problem. 
Alice is given an n-qubit state E C and Bob is given \ip) E C . Namely, Bob wants to 
output 1 with probability in the interval [KV'lv)! 2 — |(t/>|v?)| 2 + e] and with probability 
in the interval [1 — |(^|<^)| 2 — e, 1 — |(^|y?)| 2 + e]. This task is referred to as quantum 



identification [Winter 2004]. Note that communication only goes from Alice to Bob. There 
are many possible variations to this problem. One of the interesting models is when Alice 
receives the quantum state \ip) and Bob gets a classical description of \(p). An e-quantum- 
ID code is defined by an encoder, which is a quantum operation that maps Alice's quantum 
state \ip) to another quantum state which is transmitted to Bob, and a family of decoding 
POVMs {Dp, id — Dp} for all \(p) that Bob performs on the state he receives from Alice. 



Definition 4.2.1 (Quantum identification [ Winter[ 2004 1). Let Hi, %2, C be Hilbert spaces 
and e E (0, 1). An e-quantum-ID code for the space C using the channel M : S(T-L\) — > 
S (H2) consists of an encoding map £ : S (C) — > S (Hi) and a set of POVMs {D^, id — D v } 
acting on 5(^2), one for each pure state \ip) such that 



V|V>» eC, tr[z^Af(£W)]-|(¥#>P 



< e. 



Here we consider channels J\f transmitting noiseless qubits and noiseless classical bits. 
We also say that e-quantum identification of n-qubit states can be performed using i bits 
and m qubits when there exists an e-quantum-ID code for the space C = (C 2 )* 8 " 1 using the 
channel J\f = idf 1 <8> idf m , where id 2 and id 2 are the noiseless bit and qubit channels. 



Hayden and Winter [2012 1 showed that classical communication alone cannot be used 
for quantum identification. However, a small amount of quantum communication makes 
classical communication useful. Using our metric uncertainty relations, we prove better 
bounds on the number of qubits of communication and give an efficient encoder for this 
problem. 

Our protocol is based on a duality between quantum identification and approximate 



forgetfulness of a quantum channel demonstrated in [Hayden and Winter, 2012, Theorem 7]. 



Specialized to our setting, the direction of the duality we use states that if V : C — > A <g> B 
defines a low-distortion embedding of (C, £2) into (AB, if {if )), then the maps r a : C — > B 
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for a G [cU] defined by \ip) t-> Z^6e ( i B (( a l(^l^l'0))l^} approximately preserve inner 
products on average. The following lemma gives a precise statement. We give an elementary 
proof in the interest of making the presentation self-contained. 



Lemma 4.2.2. LetV : C — > A® B be an isometry, i.e., for all \ip) G C, \\V\iIj)\\2 = nr^/||2- 
For any vector \ip) G C, we define the vectors \ip a ) G BbyV\ip) = J2 a e[d A ] l a )l^«)- Assume 
that V satisfies the following property: 



viv) e c 



m in 



< el 



TTzen we /zave /or all unit vectors \<f) G C with V\ 
V\<p) = Eae[d A ] \a)M 



\, (4.15) 

J2ae[d A ]\ a Ma) and 



-y 



a£[dj< 



a\<Pa)\' 



\(m\ l 



< l2e + 2J~e. 



(4.16) 



Proof Let and \(p) be unit vectors in C. We use the triangle inequality to get 



L E 

1, L^i 



a£[d A 
< 



E 

a£[d A 



\(^a)\ 2 
\4>a)h\\\<Pa)h 



d, 



-Mv)\ 2 

\M<Pa)\ 2 



ae[d A ] 



\{4> a \<Pa)f 



^111^)112111^)112 



(4.17) 



We start by dealing with the first term in ( |4.17[ ). Observe that 



\{^aWa)f 



< 



(Re(^a|^)) 5 



(Re(V#)) ; 



d, 



(Im(^|^a)) 2 - 



■2 (Im(^l^)) 2 

d A 



< 2 



Re(lp a \(p a ) - 



di 



+ 2 



lm(0 a |<p o ) - 



lm(if)\ip) 



(4.18) 



In the last inequality, we used the fact that \x 2 — y 2 \ < 2\x — y\ whenever \x + y\ < 2. 



To bound these terms, we apply the assumption about V (equation ( |4.15[ )) to the vector 

\i>) - WY 



E 

a£[d A ] 



lll^)-M||^ 



d/ 



< el 



< 4e. 
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By expanding \\\ip a ) - \<p a )\\l and 



j, we obtain using the triangle inequality 



E 

a£[d A ] 



2Re(ip a \(p a ) - 



2Re(^%) 



d A 



ae[d A ] 

< 6e. 



IIVOII 



2 d A 



mil 



In the last inequality, we used equation ( |4.15[ ) for and |</?). The same argument can be 
applied to i\ip) and \cp) to get 

Im^ly?) 



2 E 

a£[dA] 



Im(^ a |v? a ) 



< 6e 



Thus, substituting in equation ( |4.18[ ) we obtain 

KV'abo)! 



2 l(^k)| 2 



< 12e. 



We now consider the second term in ( |4.17[ ). We have, using the Cauchy-Schwarz 
inequality, 

K*>.>l 2 



E 

a&[d A ] 



IW>.I<a>)I' 



£ E 

< E ii 

a£[d A ] 



\<Pa)\\2 



dA|||^a>|| 3 ||b.>|| 2 
1 



d f 



id. 



E 

a&[d A ] 



ld~A d A 



< 



< 



E 

a£[d A ] 



"I II 2 



\ 



E 

a6[dA] 



\ 



E 



. E 

\ ae[rf A ] 

< 2y/e. 



1^)111 



. E 



IIV0II1- 



For the third inequality, we used once again the Cauchy-Schwarz inequality and for the 
fourth inequality, we used the fact that J2 a e[d A ] HIVOH! = ll^l^)!!! = 1 and the inequality 
\x — y\ 2 < \x — y\\x + y\ = \x 2 — y 2 \ for all nonnegative x,y. Plugging this bound into 



equation (4.17), we obtain the desired result. 



□ 
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K 



k, a 



B 




= Outcome 



Classical description of \tp) 



Figure 4.2: Quantum identification based on a metric uncertainty relation. The system K 
is prepared in a uniform superposition state ^= J2 k \k). Then, controlled by system K, the 
unitary Uk is applied to C = A ® B, where the unitary transformations {U k } satisfy a 
metric uncertainty relation. The KA system is then measured in its computational basis. 
The outcome k, a of this measurement is sent through the classical channel. The system B 
is sent using the noiseless quantum channel. The receiver constructs a POVM D^ a based on 
a classical description of the state \ip) he wishes to test for and the classical communication 
A;, a he receives. 

Theorem 4.2.3 (Quantum identification using classical communication). Let nbe a positive 
integer and e G (2 _c ' n , 1) where d is a constant independent of n. Then for some 
m = 0(log(l/e)), e-quantum identification of n-qubit states can be performed using a 
single message ofn bits and m qubits. 

Moreover, for some m = 0(\og(n/e) •log(n)), e-quantum identification of n-qubit states 
can be performed using a single message ofn bits and m qubits with an encoding quantum 
circuit of polynomial size. 

Proof Let {U±, . . . , U t } be a set of unitaries on n qubits verifying an e'- metric uncertainty 
relation with e' = 1/2 • (e/28) 2 . We start by preparing the uniform superposition 
4= Ylk=i \ k) K an d apply the unitary Uk on system C controlled by the register K. We get 



the state 4^ Ylk \k) K (Uk\4>)) AB = Ylka \k) K \a) A \4>k,a) B for some non-normalized vectors 
\4>k,a) £ B. Alice then measures the system KA in the computational basis obtaining an 



tnat Efe,a II IVv) Hi = 1 and II \^k,a) III = \ ■ P A k \i>) ( a ) so tnat the metric uncertainty relation 
property can be written as 



outcome k, a and sends k, a and \ipk,a) to Bob, where \ipk,a) = |V'fc,o)/lllV'fc,o)ll2- Observe 




k,a 



(4.19) 
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This shows that the isometry \ip) i-)- \ J2 k \k) K (Uk\4>)) AB satisfies the condition ( |4.15[ ) of 
Lemma r4.2.2l 

The decoding POVMs for received classical information k, a and state \cp) are defined 
by D% a = \0 k>a )(0 k>a \ where ^ £ fc l*)*^))** = £ M \k) K \a) A \ Vk , a ) B and = 



|Vfc,a)/ll^'*,all2- The protocol is illustrated in Figure 4.2 



We now analyse the probability that Bob outputs 1. Recall that outcome 1 corresponds 



to the projector |^)(y?|- The probability that the protocol in Figure 4.2 outputs 1 is 



IIIVOIIl ■ tr fe'1^,a)<^,a|l = Yl \\\4>k,a)\\l\{4k,a\<Pk,*)\ 



k.a 



k.a 



Applying Lemma 4.2.2[ we have 

^E|iA.^M)i 2 -i(^b)r 



td, 



< 14v / 2? = e/2. 



(4.20) 



k.a 



Using the triangle inequality, equations ( |4.20| ) and ( |4.19[ ), we obtain 

J2m,a)\\l |(4a|^,a)| 2 -|(^l^)r| 



k.a 



k,a k,a 



\\^k,a)\\l 



1 

td A 



■ 2 



< e/2 + 4e' < e. 



Thus, the probability of obtaining outcome 1 is in the interval [K^l^)! 2 — e, |(?/>|<^)| 2 + e]. 



We conclude by using the metric uncertainty relations of Theorems 3.3.2 and 3.4.7 For 
the explicit construction, we still need to argue that the encoding can be computed by a 
quantum circuit of size 0(n 2 polylog(n/e)) and depth 0(n polylog(n/e)) using classical 
precomputations. To obtain this running time, we actually use the 1-MUBs of Lemma 



3.4.1| in the construction of Theorem |3.4.7| The only thing we need to precompute is an 
irreducible polynomial of degree n over F 2 [X]. Then, using the same argument as in the 



proof of Lemma |3.4.1[ we can compute the unitary operation that takes as input the state 
\j) £g> \ip) and outputs the state \j) <S) Vj using a circuit of size 0(n 2 polylog n) and depth 
0(n polylog n). Since the permutation extractor we use can be implemented by a quantum 
circuit of size 0(rzpolylog(n/e)), the unitary transformation \k)®\tp) i-> \k)®Uk\i>) can be 
computed by a quantum circuit of size 0(n 2 polylog(n/e)) and depth 0(n polylog(n/e)). 

□ 



This result can be thought of as an analogue of the welLknown fact that the public-coin 
randomized communication complexity of equality is 0(log(l/e)) for an error probability e 
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|Kushilevitz and Nisan 1997[ . Quantum communication replaces classical communication 
and classical communication replaces public random bits. Classical communication can be 
thought of as an extra resource because on its own it is useless for quantum identification 
[Hay den and Winter] |2012[ Theorem 11]. 



Chapter 5 



Uncertainty relations in the presence of 
quantum side information 



Outline of the chapter. In the previous chapters, it was assumed that the adversary trying 
to predict the outcome of the measurement is not entangled with the quantum system being 



measured. In Section 5.1 we explain what it means for an uncertainty relation to hold 



when the adversary has quantum side information. After that, in Section 5.2, we introduce 
metric uncertainty relations with quantum side information that we call QC-extractors. We 
also give several efficient constructions of QC-extractors. We finally show how using such 
uncertainty relations, we can relate the security of two-party computations to the quantum 



capacity of the quantum storage of the adversary (Section 5.4). 



5.1 Introduction 

Let us consider uncertainty relations in the form of a game, called the uncertainty game by 



Berta et al. [2010 1. Bob prepares a system called A and sends it to Alice. Alice chooses 
a projective measurement i at random from a set of possible measurements to perform on 
system A. She obtains an outcome that we denote X. She then sends i to Bob whose goal 
is to predict X. In Chapter |3} we saw several constructions of measurements for which 
Bob has a lot of uncertainty about X. But in a fully quantum world, Bob might keep a 
quantum system E that is entangled with A that could help him in predicting X. As an 
example, imagine that Bob prepares the maximally entangled state |$) = -k= V . \ j)a\ j) e- 

yd A J 

Assume the measurements that Alice performs on A are obtained by first applying a unitary 
transformation Ui on A followed by a measurement in the computational basis. It is simple 
to see that if Bob, upon receiving the index i, applies U* on his system E and performs a 
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measurement in the computational basis will get the exact same outcome as Alice. Thus, 
if Alice and Bob share a maximally entangled state, then Bob can perfectly predict the 
outcome that Alice obtains: there is no uncertainty at all. This makes it clear that the amount 
of uncertainty depends on the information available for the adversary Bob. In the previous 
two chapters, we considered the case where Bob prepares a quantum state and sends it 
completely to Alice, i.e., the E system is not present. In this chapter, we will construct 
uncertainty relations that hold even when Bob holds a quantum system. 

As was discussed above, when the systems A and E are maximally entangled, all the 
measurement outcomes can be predicted perfectly. Thus, any uncertainty relation should 
take into account the amount of entanglement between A and the adversary E. After being 
conjectured by Renes and Boileau ]2009 |, it was proven by Berta et al. [ 2010) that for any 



state p on AB, the following inequality holds: 

l - (H{X\E) pl + U(X\E) p2 ) > log(l/c) + \ii(A\E) p (5.1) 

where p % XE = M. a-^x{L hp <aeU}) for % G {1, 2} is the state obtained when measuring the 
system A of the state UiPaeU} in the computational basis and c is the maximum overlap 
between the vectors defined by U\ and U 2 , c — max^ a / \{a\UiU\ |a')|. M-a-^x refers to 
the measurement in the computational basis map: M-A-^xip) = J2 a ( a \ a \ a )\ a )( a \- Note 
that the reason we renamed the system X after the measurement is simply to emphasize 
that it is a classical system. If the state pae is a pure state on A, we have H(A\E) = 
and recover the uncertainty relation of Maassen and Uffink [1988] in ( ]3. 1 [ ). In the case 



where pae is maximally entangled, then H(A\E) = — logd^, and c cannot be smaller 
than 1 / v^a^] This implies that the lower bound in ( |5.1| ) is nonpositive, which as discussed 



earlier is unavoidable. For cryptographic applications, the most interesting case is usually 
when pae is entangled but not maximally so, i.e., — log cLa < ~K(A\E) < 0. 

We should mention that quantum side information is usually much harder to handle 
than classical side information. This is due to the fact that it is not clear how to describe 
a conditional state. Consider the example of the study of randomness extractors. It is 
not hard to prove that an extractor can handle any classical adversary as long as it can 
handle a classical adversary holding a trivial system]^] see e.g., [ Konig and Terhal , 2008 



Proposition 1]. The situation is quite different for quantum adversaries. In fact, Gavinsky 



et al. [2007| gave an example of an extractor that completely fails when quantum side 



'To see this, just write one of the vector of basis 1 in basis 2: one of the squared coefficients has to be at 
least as large as the average of 1/cIa- 

2 Provided the conditional entropy is the same of course. 
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information is available. This is not to say that quantum adversaries can break any extractor, 
but that quantum side information can behave in unexpected ways. We now know of 
many constructions of extractors that do work even when the adversary holds a quantum 



memory ]De et al4[2009||Konig and TerhalH2008||Renner and Konigl|2005||Ta-Srima[|2009 
Tomamichel et al4|2011] . 

As was mentioned in Chapter [3j if we want a larger average measurement entropy, 
we need to consider more measurements. Unfortunately, up to this day, we only 
know of uncertainty relations that hold in the presence of quantum memory for two 
measurements [Bert a et"al"l |2010[ |Christandl and Winterj |2005j |Coles et"aL| |2011a|b 



2012[ |Renes a nd Boileauj |2009[ [Tomamichel and R enner[ |20 1 1 fl . For two measurements, 
the incompatibility is directly related to a simple function of the pairwise inner products 
between vectors in the two bases. For more measurements, controlling the pairwise inner 
products between the different bases elements is not sufficient to guarantee a good lower 



bound on the uncertainty [Ba llester and Wehner[|2007| . In this chapter, we will give several 
constructions of strong uncertainty relations for many measurements. 

Our strategy will be to follow the idea introduced in Chapter [3] of quantifying the 
uncertainty in a set of measurement outcomes by the distance to the uniform distribution. In 
order to account for the possible side information that the adversary E has, we also require 
the output to be independent of the adversary. More precisely, the condition for a set of 
unitaries Ux,...,U t will be of the form 



t 



i=i 



TA-^A^UiPAEU}) - 



id 



Ai 



PE 



< e 



(5.2) 



where the map T performs a measurement in the computational basis and then discards the 
subsystem A 2 while keeping Ax. 



n 



U-kAi 



7^(aia2l (•) \a1a2) \ai}{ai \ , 



(5.3) 



where {|cti)}, {^2)} are the computational bases of Ai,A 2 respectively. Here, A\ plays 
the role of the hard to predict outcome called X in the earlier discussion. Equation ( |5.2[ ) is 



analogous to Definition 3.2.1[ except that we also require that the outcome A\ be decoupled 



from the adversary E. Motivated by the similarity between equation ( |5.2| ) and randomness 
extractors (already introduced in Definition |3.4.4 ), we call such a set of unitaries a QC- 
extractor. More details on randomness extractors and related constructions are given in 



Section 5.2 where we also give constructions of QC-extractors. We will show in Section 



5.3 that if Ui, ... ,Ut satisfy ( |5.2[ ), they also satisfy an entropic uncertainty relation, as was 



5.2. Quantum to Classical randomness extractors (QC -extractors) 



80 



done in Chapter[3j Section 5.4 is devoted to cryptographic applications of these uncertainty 
relations. 



5.2 Quantum to Classical randomness extractors (QC- 
extractors) 



Randomness extractors^] were introduced by Nisan and Zuckerman [ 1996 1 in the context 
of derandomization. An extractor is a function that transforms a weak source of 
randomness into almost uniform random bits. The initial motivating applications were 



related to complexity theory, e.g., derandomization of space-bounded computations | Nisan 
and Zuckerman} 1996[ , simulating randomized algorithms with a weak random source 



| Zuckerman, 1996b | or also as a tool for proving hardness of approximation [Zuckerman 



1996a]. The definition of randomness extractors was actually predated by the similar idea 



of privacy amplification introduced in a cryptographic context, more precisely for quantum 
key distribution [Bennet fet al.[ 1988,(1995}. There, the setting is as follows. Suppose 
Alice and Bob share a bitstring X about which Eve might have some information E. They 
want to extract a secret key about which Eve has almost no information. Here X viewed 
from the point of view of E is a weak source of randomness from which we want to distill 
almost perfect random bits. It is particularly clear in this picture that an extractor should 
work subject only to the assumption that the source contains some randomness, and not 
make any assumption on where this randomness is. The reason is that depending on her 
attack, Eve can obtain information about different parts of X. In Chapters [3] and [4j we saw 
yet other applications of randomness extractors to uncertainty relations and low-distortion 
norm embeddings. For more background on extractors, their constructions and applications, 



see the surveys QShaltiel[ [2002] |Vadhan[ [2007 1 . 

Classical sources of randomness are described by probability distributions and the 
randomness extractors are families of (deterministic) functions taking each possible value 
of the source to a binary string. To understand the definition of quantum extractors, it is 
convenient to see a classical extractor as a family of permutations acting on the possible 
values of the source. This family of permutations should satisfy the following property: for 
any probability distribution on input bit strings with high min-entropy, applying a typical 
permutation from the family to the input induces an almost uniform probability distribution 



on a prefix of the output; see 3.4.4 for a definition. We define a quantum to quantum 



3 Throughout this thesis, we will only deal with what are known as seeded extractors. For an overview of 



the different kinds of extractors for different kinds of sources, see | Shaltiel 2002 1. 
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extractor in a similar way by allowing the operations performed to be general unitary 
transformations and the input to the extractor to be quantum. 

Definition 5.2.1 (QQ-Extractors). Let A = A X A 2 with n = log (Ia- 

For k G [— n,n] and e G [0, 1], a (k, e)-QQ- extractor is a set {U\, . . . , U t } of unitary 
transformations on A such that for all states pae £ S(AE) satisfying H min (A\E) p > k, we 
have 



£ 

i=i 



tr 



UiPAJsVt 



id, 



d Al 



Pe 



< e . 



(5.4) 



logi is called the seed size of the QQ-extractor. 



Before making a few remarks on the definition, we recall the definition of CC-extractors 
which are simply randomness extractors that work in the presence of a quantum adversary. 

Definition 5.2.2 (CC-Extractors). For k G [0, n] and e G [0, 1], a (k, e)-CC-extractor is a 
set {fx, . . . , ft} of functions from {0, l} n to {0, l} m such that for all states pxe G S(XE) 
satisfying H min (X|_E) p > k, we have 



1 ' 
7E 



1=1 



Pfi(X)E 



id, 

dz 



® Pe 



< e 



(5.5) 



where the system fi(X) is obtained by applying the function to the system X. 



First, we should stress that the same set of unitaries should satisfy ( |5.4| ) for all states 
Pae that meet the conditional min-entropy criterion H m - m (A\E) p > k. In particular, the 
system E can have arbitrarily large dimension. The quantity H m i n (A\E) p measures the 
uncertainty that an adversary has about the system A. As it is usually impossible to model 
the knowledge of an adversary, a bound on the conditional min-entropy is often all one can 
get. A notable difference with the classical setting is that the conditional min-entropy k can 
be negative when the systems A and E are entangled. 

A statement of the form of equation ( |5.4| ) is more commonly known as a decoupling 
result [ |Abeyesinghe et al.[ [2009| |Dupuis[ [20TQ| |Dupuis et alij |2010aj |Hayden et alj [2008| 
Horodecki et al.[ 2005b 2006 1. Such statements play an important role in quantum 
information theory and many coding theorems amount to proving a decoupling theorem. 



In fact, it was shown that a set of unitaries forming a unitary 2-design (see Definition 5.2.4) 
define a (k, e) -QQ-extractor as long as the output size log < (n + k)/2 — log(l/e). The 



decoupling theorem of Dupuis [2010|, Dupuis et al. [2010a| is actually more general than 
this: it holds even if we replace tr J 4 2 by any completely positive trace preserving map T. Of 
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course, then the value of e depends on an entropic quantity that is a function of the map T 
in addition to the term U min (A\E) p , which was already present for QQ-extractors. 



A definition of quantum extractors was also proposed in [Ben-Aroya et al. 2010 



Definition 5.1]. A set of unitaries {U±, . . . , U t } acting on A is a (A;, e)-quantum extractor 
if for all p E S(A) with H min (A) p > k, we have 



d A 



< e. 



(5.6) 



First we note that in their definition, the extractor outputs the whole system (nothing is 
discarded). This is only possible because they measure the distance between the randomized 
state | UipUj and the maximally mixed state (this condition refers to weak extractors), 
whereas in our definition we ask for the average of the trace distances to be small (strong 
extractors). It is easy to see that by the triangle inequality, a strong extractor is also a weak 
extractor. For strong extractors, the seed can be made public, i.e., even conditioned on the 
value of the random seed, the outcome is close to random. This is not the case for weak 
extractors. In cryptography, weak extractors are usually not good enough because the seed 



i is made public during the protocol (see for example Section 5.4). Our definition is also 
stronger in another respect, we require the extractor to decouple the A system from any 
quantum side information held in the system E. 

Ben-Aroya et al. ]2010[ introduced their definition in the context of studying quantum 



expanders. In fact, they obtain extractors for high min-entropy sources using their 
construction of quantum expanders^] as well as the construction of Ambainis and Smith 
1 2004}; see also [ |Desrosiers and Dupuis[ |2010~[ Theorem 3] where the construction based 
on | Ambainis and Smith|p004| is studied the language of approximately randomizing maps 



[Hayden et al. 2004 1. Ben-Aroya et al. [ 2010| applied their extractor construction to prove 
that the quantum entropy difference problem is in the complexity class QSZK; see the paper 
for more details. 

In the context of cryptography, a QQ-extractor is often more than one needs. In fact, it is 
usually sufficient to extract random classical bits, which is in general easier to obtain than 
random qubits. This motivates the following definition, which differs from a QQ-extractor 
in that the output system A\ is measured in the computational basis. In particular, any 
(A;, e) -QQ-extractor is also a (k, e)-QC-extractor. 

Definition 5.2.3 (QC-Extractors). Let A = AiA 2 with n = log cIa, and let Ta^a x be the 



measurement map defined in equation (5.3 ). 



4 In general, an expander can always be used to construct an extractor for very high entropy sources. 



83 



CHAPTER 5. URs in the presence of quantum side information 



For k G [—n, n] and e G [0, 1], a (k, e)-QC-extractor is a set {Ui, . . . , U t } of unitary 
transformations on A such that for all states pae £ S(AE) satisfying H min (A\E) > k, we 
have 



i=i 



id, 



PE 



< e 



(5.7) 



logt is called the seed size of the QC -extractor. 



Observe that Definition 5.2.3 only allows a specific form of measurements obtained by 
applying a unitary transformation followed by a measurement in the computational basis of 
A\. The reason we restrict the measurements to be of this form is that we want the output 
of the extractor to be perfectly determined by the source and the choice of the seed. In the 
classical setting, an extractor is a family of deterministic functions of the source and the 
seed. In the quantum setting, a natural way of translating this requirement is by imposing 
that an adversary holding a system that is maximally entangled with the source can perfectly 
predict the output. This condition is satisfied by the form of measurements dictated by 



Definition 5.2.3 Allowing generalized measurements (POVMs) already (implicitly) allows 
the use of randomness for free. Note also, that in the case where the system E is trivial, a 



(0, e)-QC-extractor is the same as an e/2-metric uncertainty relation (Definition 3.2.1 ). 
Our definition of QC-extractors has some connections with some recent work on device 



independent randomness generation [Acm et al. 2012 Colbeck 2006 Colbeck and Kent 



|20TT] |Fehr etaL| |20TT] |Pironio and Miliar] |20TT] fPu-onio et aU|20TQl |Vazirani and Vidickj 



2011 1. The objective of this line of work is to build protocols to generate bits that are 



certified to be random. The setting is as follows. The system we consider has a special 
structure: it is composed of two parts A and B that are spatially separated. Using a small 
random seed, a pair of measurements is chosen to be performed on A and B obtaining 
outcomes X and Y. Then, statistical tests are performed on X and Y to record a Bell 
inequality violation. Such a violation is then evidence that the systems A and B are 
entangled, which implies in particular that say H ma _ x (A\B) is significantly smaller than 
logdA- But this means that if the adversary holds a purification of the system AB, we 
have H min (yl|£') = — H max (A\B) ^> — logrf^. Thus, by applying a QC-extractor, one 
can generate almost perfect random bits. The challenge in that context is to detect Bell 
inequality violations with a small number of measurements. 
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5.2.1 Examples and limitations of QC-extractors 

Universal (or two-independent) hashing is probably one of the most important extractor 



constructions, which even predates the general definition of extractors [Impagliazzo et al. 



1 989 1 . Unitary 2-designs can be seen as a quantum generalization of two-independent hash 
functions. 

Definition 5.2.4. A set ofunitaries {Ui, . . . , U t } acting on A is said to be a 2 -design if for 
all M e C(A), we have 



- U ? 2 M(U}) m = I U m M(U^) m dU 



(5.8) 



where the integration is with respect to the Haar measure on the unitary group. 



Many efficient constructions of unitary 2-designs are known [Dan kert et al.[|2009~l|Gross 
et al4|200"7| , and in an n-qubit space, such unitaries can typically be computed by circuits 
of size 0(n 2 ). However, observe that the number of unitaries of a 2-design is at least 



t > d\ — 2d\+2 [Gross et al. , 2007 1. The following is immediate using a general decoupling 
result of |Dupuis| [ |20101 , |Dupuis et al.|p010a| (see Lemma \A3?2\ . 



Corollary 5.2.5. Let A = A\A 2 with n = log d^- For all k £ [— n, n] and all e > 0, a 
unitary 2-design {Ui, . . . , U t } on A is a (k, e)-QC-extractor with output size 



logci^ = min(n, n + k — 2 log(l/e)). 



(5.9) 



Similar results also hold for almost unitary 2-designs; see [Sz ehretaL||2011[ . Using the 
results of |Harrow and Low [2009], this shows for instance that random quantum circuits of 



size 0{n 2 ) are QC-extractors with basically the same parameters as in Corollary 5.2.5 



Proposition 5.2.7 below shows that the output size of these QC-extractors is basically 
optimal. In fact, even if we are looking for a QC-extractor that works for a particular state 
Pae, the output size is at most n + H^ n (A\E) p , where n denotes the size of the input. In 
order to do that, we start by proving that when we measure a quantum system A, the min- 
entropy increases by at most the logarithm of the dimension of the system being measured. 



Lemma 5.2.6. Let pab G 

measurement on A. Then 



S(AB), e > 0, and {P a .}f^ 1 be a projective rank-one 



W mm {X\B) p <W mui {A\B) p + \ogd x 
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Proof Let Va-^xx 1 be an isometric purification of {P x } and pxx>BB> a purification 
°f Pxx'B = VpabV^. By the invariance of the min-entropy under local 
isometries [ Tomamichel et aL} |2010[ Lemma 13] and the duality between the min- and 



max-entropy (Lemma 2.2.3 ), the proposition becomes equivalent to 

W max (XX'\B') p < W max (X\X'B') p + \ogd x . 



By the definition of the smooth max-entropy (equations ( |2.15| )-( |2TT6| )), there exists pxx' b 1 £ 
B^Pxx'B*) and&x'B' e S(X'B') such that 

W max (X\X'B') p = log F( Pxx , B , id x ® a x , B ,) 2 , 
as well as pxx'B' € B e {pxx'B') and o B e «S(fi) such that 

H^XX'^p = log F(p xx , B , id xx , ® as,) 2 • 

Now observe that 



H^XX'li^p < log (cfc • F(p xx , B ,,id x 



id x > 



d 



X ' ®a B >? 
x 



< max.\ogF{pxx'B'Mx ® vx>b>) 2 + \ogd x 

a X'B> 

= W m ^X\X'B') p + \ogd x . 



□ 



Proposition 5.2.7 (Upper bound on the output size). Let A = AiA 2 , pae £ S(AE), 



{Ui, . . . ,Ut} a set ofunitaries on A, and Ta-^a 1 defined as in equation ( |5.3| ), such that 

t 



^2 Ta-^A! (Uip AE Uj 

i=l 



id. 



Then, 



d, 



logd Al <logd A + U^ n (A\E) p . 



PE 



< e . 



(5.10) 



Proof Consider the projective rank-one measurements {P*} obtained by performing Ui 
followed by a measurement in the computational basis of A. As a result, we can apply 



Lemma 5.2.6 and obtain for all i 6 {1, ... , t] 

H^^I^ + log^^H^^lE) 



p ■ 
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where Xi denotes the outcome of the measurement {-P^}. But condition ( |5.10[ ) implies that 
there exists i 6 {1, . . . , t} such that 



T A -^A 1 (UipAEUj^ - ® p E 



< e. 



In other words, -^-^ Pe 6 (T a-^Ax (UipAEuf^ j . By monotonicity of the min-entropy 
for classical registers [|Berta et aLj |201 lcj Lemma C.5], we have that 



which proves the desired result. 



□ 



We now study the seed size property. We prove that choosing a reasonably small set of 
unitaries at random defines a QC-extractor with high probability. The seed size in this case 
is of the same order as the output size of the extractor. We expect that a much smaller seed 



size would be sufficient. However, as will be proved in Proposition 5.2.10 below, different 
methods would have to be used in order to prove that. 



Theorem 5.2.8. Let A = A1A2 with n = \ogdA and Ta-^a x be the measurement map 



defined in equation (5.3 ). Let e > 0, c be a sufficiently large constant, 



logrf^! < n + k — 41og(l/e) — c and logt > logd^i + logra + 41og(l/e) + c 



Then, choosing t unitaries {Ui, . . . , Ut} independently according to the Haar measure 



defines a (k, e)-QC-extractor with high probability. See ( |5.15| ) for a probability bound. 



Proof The proof uses one-shot decoupling techniques [ |Dupuis||2010[|Dupuis et al.[|2010a 



Szehr et al. , 2011 1 combined with an operator Chernoff bound [ Ahlswede and Winter 2002 1 



(see Lemma A.3.5). 



Let U be a unitary on A. We use the Holder-type inequality (see e.g., [Bhatia 1997 
Corollary IV.2.6]) 



i«/37iii<iii«nii /r iii/3Hi; /s iii7i r 'ni /r ' 



where l/r + l/s + l/r' = 1. We use it with r = r' = 4, s = 2, and a = 7 = (id^ a £g> p_e) 1//4 , 
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P = (id Al ® p E )- 1 ^ (t(U Pae W) -^®Pe) (id Al ® Ps)- 1/4 to get thaj^j 

T(u PAE tf) 



<< 4 Wtr 



(id Al ®p £ )- 1/4 (T(Up AE W) 



id 



V ' " d Al 



Pe ) (id Al ® Pi?) 1/4 



d 1/4 



d 



1/2 



(id Al ®p B )- 1/4 (r(^^t) 

PE 



^®Pe) (id Al ® P£ )- 1/4 



T(U~p AE U^)- ]([l < 



dAi 



where p^ = (id A (g> p s ) ^VaeO-cU ® Pe) ^ 4 - Together with the concavity of the square 
root function, this implies 

l±T(u iPAE Ul)-f 



® Pe 



Ai 



< 



Pe 




Ps 



(5.11) 



We continue with 



i=l <- 

1 * 



id 



Ai 



d A i 

2 



Pe 



and first compute the cross term 



2tr 



+ tr 



id 



Ai 



. d Al 



Pe 



(5.12) 



tr 



r w 



dAi 



®PE 



d Al 



tr 



tr 



'Ai 



T (UipAEuf) (id Al (2) p £ ) 



5 The inverses are generalized inverses. 
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Going back to equation ( |5.12[ ), we obtain 



E 



tr 



id. 



1 2 ^ t 



i=l 



2 1 



tr [pi] 



(5.13) 



Let Faa' denote the swap operator Faa' — Xw |aa')(a'a|. We now compute the first term 



using the "swap trick" (Lemma A. 3. 4) 

tr [T(Up AE U^)] 2 



tr 



S ^2{aia2\Up AE U ] \aia2)\a 1 )(a 1 \ 



tr 



^ (a 1 a2a[a' 2 \U^ 2 p%(U® 2 ) t \a 1 a2a' 1 a' 2 )\a 1 a' 1 )(a 1 a' 1 \ (F AlA ^ ® F E e>) 
^ tr [p^|([/ (g,2 ) t |aia 2 a / 1 a / 2 )(aia / 1 | (i^Mi ® F E e>) |aia / 1 )(aia 2 a / 1 a / 2 |f/ 02 ] . 



In the last equality, we used the fact that \a\a\) commutes with the scalar 
(aiG^ai a^lU^p^^^Yla^a^a^) and the cyclicity of the trace. Taking the average over 
the set {Ui, . . . , U t }, we get 



1 * 

-^[T (u.paeU} 
i=i 



E 



tr 



ai 0,20,-^0,2 



1 * 

Pabt {(^f 2 )* |aia 2 a / ia2)(aiai|i r A 1 A' 1 |aiai)(aia2a / ia / 2l^f 2 } ® 



tr 



PSlJ ^ | (V/) 02 |a 1 a 2 a' 1 a 2 )(a 1 a 2 a / 1 a 2 |t/f 2 1 <g> F EE > 

i=l I aia2a 2 i a i =a l ' 



(5.14) 



Using for example [Dupuis et al. 2010a Lemma 3.4], if U is distributed according to the 
Haar measure on the group of unitaries acting on A, then 



E{/ < (U^® 2 |aia 2 aia 2 ) (aia 2 aia 2 |C/ 5 



aia2 a 2 



4-1 



rf A - d A2 

10- A A' H ^2 i £ AA' 

a A i 
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We use the shorthand T AA i for the expression above. Now we note that dA t A \ 1 > 1 



2d Al 



and 



apply the operator Chernoff bound (Lemma A. 3. 5) to get 



Pr J j J2( U lf 2 |ai«2aia' 2 )(a 1 a 2 a 1 a , 2 |f/f 2 < (1 + T])V I 

I *=1 axa,2a' 2 J 



> 1 — d A exp 



trf 



(5.15) 



This shows that if t > 2 ■ 4 In 2 ■ d Al ^ogd A /i] 2 , the unitaries Ui, . . . , U t satisfy the above 
operator inequality with high probability. In the rest of the proof, we show that such unitaries 
define QC-extractors. Putting these unitaries in equation ( |5.14[ ), we get 

t 



£)tr yriUiPAE^) < (i + 77) 



t=i 



d A d A , 1 r 2 i d A d A2 r~2 1 

f~ tr ^ + d 2 -1 ^ 



d\ 



Plugging this expression in equation ( |5.13[ ) and then in equation ( |5.11| ), we get 

id, 

^1 



r(u lPAE {u l ) ] )- l ^ L ®PE 

, ^ ' "Ai 



< 



< 



v) 



d\ - d Al 



d\ 



tr[p|] + (l + 7/) 



d Al d A — d A 



tr [Pae\ - tr [P 



:i + ^)^X T tr[p 2 A£ ] 
a A + 1 



since tr = tr 



tr A 



idA ® p B 1/4 ) Pas ( id A <g> p s 



tr [pi 



1. By the 



definition of the conditional collision entropy (equation ( |2.17| )) and Lemma 2.2.4, it follows 
that, 

t 



]J2 T{u iPAE {Uy 



id 



Ai 



d/ 



Pe 



< 



1 



rj + { l + r] )J^2- li ^\E) p 
d A + 1 



< W77 + (1 + rj) - 1 2- Hmi "( A l g )pip . (5.16) 

V "A + 1 

Now let p' A£ G be such that H^ n 5 '(A|£) Hp = H min (A|£) pV . Since we have 

Wp'ae ~ Pae\\i < 2(5 + 5') (by equation ( |2.7[ )), we know that by the triangle inequality and 
the monotonicity of the trace distance, 



\\T(Up AE U ] ) 



di 



Pe\\\ 



\\T(Up' AE tf) 



d f 



Pe\\i 



<\\p' A e-Pae\\i<2(5 + 5'), 
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and hence applying ( |5.16[ ) to p' AB , we get 



i=l 



TfUiPAEiU^-^tgtpE 



< x lv + (i + ^)^y 2 " Hr ' (A|i?)p|p + 2 ( 5 + 5 ') • 



We then use Lemma 2.2.2 about the equivalence of the different conditional min-entropies 
to get 



1 * 

-J2 T(y iPAE {utf 

i=l 



id, 



PE 



< J V + (1 + r,)-^-2-^( A \E) P +z + 2(6 + 5') 
a a + 1 



(5.17) 



with * = log(2/<5' 2 + 1/(1 - 5)). Setting r] = e 2 /4, 5 = 0, 5' = e/4, and assuming 
logoUi + & — 41og(l/e) — c with = H min (A|£')p, we can upper bound equation 



(5.17 ) for large enough c by 



e/2 + \Je 2 /A + 2 ■ 2 fc - 41 °s( 1 A)-c-fc+iog(8/e2+i) 
< e/2 + v/e 2 /4 + e 2 ■ 2 X - C + 4 < e . 



□ 



The following simple argument shows that the number of unitaries of a QC-extractor has 
to be at least 1/e. 

Proposition 5.2.9 (Lower bound on seed size). Let A = A\A 2 . Any (k, e) -QC-extractor 
with k < log cIa — 1 is composed of a set of unitaries on A of size at least t > 1/e. 

Proof Let S C [c/^J be an arbitrary subset of basis elements of A±. Then consider 
the state 



Pa 



d, 



} j U{\aia2)(aia 2 \Ui . 



Note that T{U lPA U\) = ^ £ aie5 \ai){ai\ and thus ||T(^iPa^J) - ^ 
implies the claim. 



i = 1. This 

□ 



Observe that in the case where the system E is trivial (or classical), we showed in 
Theorem 3.3.2 that there exists QC-extractors composed of t = 0(log(l/e)e~ 2 ) unitaries. 
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This is a difference with classical extractors, for which the number of possible values of the 
seed has to be at least $7((n— k)e~ 2 ) [Radhakrishnan and Ta-Shma , 2000 1 and a probabilistic 
construction shows that this is tight. It is not clear whether this is an important difference or 
whether it simply comes from the fact that the analogue for (0, e)-QC-extractors should be 
(n, e)-CC-extractors. An interesting question in this regard is to see whether one can prove 
an analogous lower bound on the seed size for (k, e)-QC-extractors with negative k. 

Observe that in the analysis of Theorem |5.2.8[ we actually proved something stronger 
than condition ( |5.7[ ). There and actually in all the constructions given in this chapter, we 
prove that the stronger condition ( |5.18[ ) below holds. The following proposition shows that 
with such a strong definition, the seed has to be quite large. In particular, to show the 
existence of QC-extractors (or even QQ or CC -extractors) with a short seed, one should use 
different techniques to bound the trace distance directly. 

Proposition 5.2.10 (Extractors for the 2-norm). Let A = A X A 2 . Let {Ui, . . . , U t } be 
unitaries such that 



TA-+A x {UiPAEU}) ~ 



id, 



PE 



< 



d 



(5.18) 



Then, t>l/e 2 - min (^,d Al /4). 

Proof Let S C [d^J be an arbitrary subset of max(l, \2 k /dA 2 ~\) basis elements of A]_. 



Then consider the state 

Pa 



\S\ ■ d 



We have H r 



y j U{\aia 2 )(aia2\Ui . 

(A) p > k and T(U lPA Ut) 



SI Soj 



T(U lPA U\) - 



di 



eS 



> 



ajtS 

\s\ 



ai)(ai\. We can then compute 

2 



1 

W\ 

1 



1 

d Al 

1 

d Al 



As a result, we have j ■ \S\ 



j i 

t i" i \\s\ d A 

bound oft > 1/e 2 ■ d Al (l - l/d Al ) 2 . 



< 



. In the case 2 k /d A2 < 1, we obtain a lower 



In the other case, we get 

t > lj t 2 

> 1/e 2 



d A J\S\ 
d Al 



iA 2 



2 ■ 2 k /d A2 

dA 
2 • 2 k ' 
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□ 



Our results about QC-extractors are summarized in Table |5.l| 



Seed 



LB 



UBs 



CC-extractors 

log(n - k) +21og(l/e) 



[2000] 



QC-extractors 

log(l/e) 



log(n - k) + 21og(l/e) 



m + logn + 41og(l/e) [5.2.8 1 



c-log(n/e) [2009] 



3n [5.2.11| 



Output 



UB 
LB 



fc-21og(l/ e) [|20 00 
fc-21og(l/e) Jl989 



n 



H^ n (A\E) [5.2.7| 



2005] 



n + fc-21og(l/e) [5.2. 



1] 



Table 5.1: Known lower bounds (LB) and upper bounds (UB) on the seed size and output 
size in terms of (qu)bits for different kinds of (k, e)-randomness extractors, n refers to the 
number of input (qu)bits, m the number of output (qu)bits and k the min-entropy of the 
input H min (A\E). Note that for QC-extractors, k can be as small as — n. Additive absolute 
constants are omitted. We note that the constructions corresponding to the second line are 
non-explicit. 



5.2.2 Full set of mutually unbiased bases (MUBs) 



We saw that unitary 2-designs define QC-extractors. As unitary 2-designs also define QQ- 
extractors, it is natural to expect that we can build smaller and simpler sets of unitaries if 
we are only interested in extracting random classical bits. To that end, in this section, we 
construct simpler sets of unitaries that define QC-extractors. Two ingredients are used: a 
full set of mutually unbiased bases and a family of pairwise independent permutations. 

A set of unitaries {Ui, . . . , U t } acting on A is said to define mutually unbiased bases 
if for all elements \a), \a') of the computational basis of A, we have Ka'l^fZ/la)! 2 < d~ A x 
for all % 7^ j. In other words, a state described by a vector Uj\a) of the basis i gives 
a uniformly distributed outcome when measured in basis j for i ^ j. For example the 
two bases, sometimes called computational and Hadamard bases (used in most quantum 
cryptographic protocols), are mutually unbiased. There can be at most + 1 mutually 
unbiased bases for A. Constructions of full sets of + 1 MUBs are known in prime power 



dimensions [ Bandy opadhyay etaLl |2002[ [Wootters and Fields |1989[ |. Such unitaries can be 



implemented by quantum circuits of almost linear size; see Lemma 3.4. 1 Mutually unbiased 



bases also have applications in quantum state determination pvonovic[ |1981] [Wootters and 



Fields 1989| 
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To state our result, we will need one more notion. A family V of permutations of a set 
X is pairwise independent if for all X\ ^ x 2 and yi ^ y 2 , and if n is uniformly distributed 
over V, Pr {tt(xi) = yi, n(x 2 ) = y 2 } = d x (d x -i) • ^ ^ nas a structure, i.e., if d x is a 
prime power, it is simple to see that the family V = {x^a-x + b:aE X*, b £ X} is 
pairwise independent. In the following, a permutation of basis elements of a Hilbert space 
A should be seen as a unitary transformation on A. 

Theorem 5.2.11. Let A = A\A 2 with n = logd^, dA a prime power, and consider the map 
Ta-^Ax as defined in equation ( |5.3| ). Then, if{U 1: . . . , Ud A +i} defines a full set of mutually 



unbiased bases, we have for 5 > 0, 

M^TlEE r A -, Al (pu iPAE (pu i ) 



Pev i=i 



id, 



d Al 



Pe 



< 



d Al 



-2- H mi„(^l^)p + 26 



(5.19) 



d A + l 

where V is a set of pairwise independent permutation matrices. In particular, the set 
{PUi : P eV,i G [d A + 1]} defines a (k, e)-QC-extractor provided 



\ogd Al < n + fc-21og(l/e) 



and the number ofunitaries is 



t=(d A + l)\V\ 



which for the pairwise independent permutations described above gives t = (^+1)^(6?^- 
1). 



Proof The idea is to bound the trace norm in equation ( |5.19| ) by the Hilbert- Schmidt norm 
of some well-chosen operator. This term is then computed exactly using the fact that the set 



of all the MUB vectors form a complex projective 2-design (Lemma A. 3. 3 ), and the fact that 
the set of permutations is pairwise independent. 

Similar to the proof of Theorem 5.2.8[ but with the difference that now Pae = 



(id^ <g> a E ) 1/ ' 4 pab (idyi <8> cr E ) 1/4 for some a E £ S{E) to be chosen later, we get 



-1/4 



d A +l 



\V\ d A + l^ 



E 

PeP i=l 



E 



r (pu iP ae (purf 



id, 



At 



L ®PE 



< d Al J2 tr [p A 2 E^ ai ,a 2 ,a' 2 ® F EE ] - tr [p 



(5.20) 
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where T aua2 ^ 2 = E P)i j (l 



UjP^j la^aiG^Xaic^iG^I (PUi)® 2 j and F EE > is the swap 

operator. We now compute r oi)02ja / handling the case a 2 = a 2 and the case a 2 7^ a' 2 
differently. When a 2 = a' 2 , we have {U}) m \aa){aa\Uf 2 = (Uj \a) (a\Ui)® 2 , where 
a = P^ 1 (aia 2 ). As {Ui, . . . , £^+1} form a full set of mutually unbiased bases, the vectors 
{Ui\a}}i tCL define a complex projective 2-design (Lemma A. 3. 3 ), and we get 

Epji^(u}P^ |aia 2 aia 2 }(aia 2 aia 2 | (P£/) 02 j 



aia2,a 2 =a2 



|aa)(aa|C/| 



on s J m 
zii AA' 



dA {d A + l)d A 



(5.21) 



where is the projector onto the symmetric subspace of AA', i.e., the subspace spanned 
by vectors \a'a) + \aa'). We now consider a 2 7^ a' 2 . We have 

Ep j(pt) 02 |a 1 a 2 a 1 a / 2 ) (a 1 a 2 a 1 a / 2 |P 02 | 
= E P {|p- 1 (a 1 a 2 ))(p- 1 (a 1 a 2 )| ® Ip- 1 ^)}^^)!} 
= ^2 Pr > {P~ X { a i a 2) = a,P~ 1 (a 1 a' 2 ) = a'} \a)(a\ <g> \a')(a'\ 



a=£a' 



d A (d 
id 



7T ^ l a )( a l ® W)(a' 



d A (d 



;riyEl flfl X 



(5.22) 



Going back to equation ( |5.21] >, we get together with equation ( 5.22] ) that for any a 2 7^ a' 2 , 

Ep J |(f//) 02 (pt) 02 |a 1 a 2 a 1 a 2 )(a 1 a 2 a 1 a 2 |P 02 f/f 2 | 

_ id ^' 1 Vf Uu^ 

~ d A (d A -l) d A {d A -l)^ l \\ \ 



\aa)(aa\Uf 



id 



AA> 



id^A' + Paa' 



d A (^A-l) d A (d A -l)(d A + l) 
^Aid^A' ~ Paa' 
d A [d\ - 1) 
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This being true for all ai, a 2) a' 2 , it follows with equation ( |5.20[ ) that 



E 



PA 



r(pu tPAE (pu t )^ 1(1,1 



Pe 



Pae ( — 1 — — , 1" «a(gU 2 - 1) — r"7rt 7^ — ) ® F EE> 



d Al tr 



Expanding the expression inside the square root, we obtain 

^(^ + d f^)tr K (id A ^^ 



tr[p|]. 
(5.23) 



1 



d 



+ d ^ ( J^l ~ -f^l) tr ^1 {Faa> ® Feb?)] ~ tr 

"A ~~ 1 



Continuing from (5.23), we get 



£2 1 
El 



d Al d A — d A , , ,, 
1 tr[p z 



4-1 



AE\ 



< 



l Ai 



d A + l 



tr [p AE ] 



d Al 
d A + l 



_ 2 -H 2 (A\E) plc 



where we used the definition of the conditional collision entropy (equation ( |2.17[ )) in the last 
step. Now, by choosing a E appropriately, and an argument analogous to the very end of the 



proof of Theorem |5. 2. 8[ we conclude that, 

icUi 



E 



P,i 



r (pu iPae (putf) - 1 -^® PE 

v / a A , 



< 



dA ^2- n L n (A\E) p + 2s 



d A + l 



□ 



In terms of output size, this construction is almost optimal, but the number of unitaries 
is again much larger than we expect should be possible. 



5.2.3 Bitwise QC-extractor 

The unitaries we construct in this section are even simpler. They are composed of unitaries 
V acting on single qudits followed by permutations P of the computational basis elements. 
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Note that this means that the measurements defined by these unitaries can be implemented 
with current technology. As the measurement T commutes with the permutations P, we 
can first apply V, then measure in the computational basis and finally apply the permutation 
to the (classical) outcome of the measurement. In addition to the computational efficiency, 
the fact that the unitaries act on single qudits, is often a desirable property for the design 
of cryptographic protocols. In particular, the application to the noisy storage model that we 



present in Section 5.4 does make use of this fact. But the price we pay is that the parameters 



(both output and seed size) are worse than the previous construction. 

Let d > 2 be a prime power so that there exists a complete set of mutually unbiased 
bases in dimension d. We represent such a set of bases by a set of unitary transformations 
{V , Vx,..., V d } mapping these bases to the standard basis. For example, for the qubit space 
(d = 2), we can choose 



V 




Vi 



1 



V2 



1 1 
1 -1 



V2 



1 z 
i -1 



def 

We define the set Vd, n of unitary transformations on n qudits by V d) „ = {V — V U1 <S> ■ ■ ■ <8> V u J\Ui E {0, 
As in the previous section, V denotes a family of pairwise independent permutations. 

Theorem 5.2.12. Let A = A X A 2 with dA = d n , d^ = d^ n , d A2 = d^~^ n , and d a prime 
power. Consider the map Ta-^a x a $ defined in equation ( |5.3[ ). Then for 5 > and 5' > 0, 



,d}) 



Pev vev d „ 



id/ 



dA! 



< -y/2(i-i°g(<m)+?k>gd)«(i _|_ 2 -^LM\ e )p+ z ) + 2(5 + 5') 



(5.24) 

where Vd, n is defined as above, V is a set of pairwise independent permutation matrices, and 
z = log + tzt)- I n particular, the set {PV : P E V,V E Vd, n } is a (k, e)-extractor 
provided 

logd Al < (log(d+ 1) - l)n + min{0, k} -41og(l/e) - 7 



and if we choose the pairwise independent permutations described in Theorem \5.2.11\ the 
number of unitaries is 



t= (d+l) n d n (d n - 1) . 
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The analysis uses the same technique as in the proof of Theorem 5.2.11 The main 
difference is that we were not able to express the Hilbert-Schmidt norm exactly in terms 
of the conditional min-entropy H min (A\E) p . Instead, we use some additional inequalities, 
which account for the slightly more complicated expression we obtain. 



Proof We use the same strategy as in the proofs of Theorem 5.2.8 and Theorem 5.2.11 
here again with p AE = (id A Cg> Pe)' 1 ^ Pae (icU ® PeY 1 ^- As in (|5.20|) and (|5.22[), we get 



E 



py 



T (PVpAE (PV) j ) - ^ ® 



< 



i 



d Al tr 



id 



AA' 



d A (d A - I) 



EE' 



tr \Pe\ > 



(5.25) 



where r a = E v { (V^\a}(a\V)® 2 y We calculate 



a ^ ' oi,02,...,a„ Vi,...,V n i 



1 



(d + l) n 



MlaMculVi)* 2 ' 
^ (v/kXa^V j . (5.26) 



i \a,i,Vi 



As {Vo, . . . , Vd] form a maximal set of mutually unbiased bases in dimension d, and with 
this form a complex projective 2-design (Lemma |A.3.3 ), we have 



(V^\a)(a\V)® 2 = 2Il sym , 

ae{o,...,d},vev d , 1 

where n sym is the projector onto the symmetric subspace, i.e., the subspace spanned by 
vectors \a'a) + \aa'). Furthermore (n^™)®™ < n^™ n for any inner product space B, and 
hence we obtain 



1 



(d+l) n 



i \ai,Vi 



d+l 



idyiA' + F A A' 



(5.27) 



Plugging equation ( |5.27[ ) into the expression inside the square root in equation ( |5.25| ), we 
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can bound it by 



< d Al tr 



Pae 



(( 2 \ n id AA > + F AA < id AA > 

IUttJ 2 + dA{dA >- 1) dAd^V ) 



® F 



EE' 



~ tr [Pi] 

d A — d Al d Al f 2 



2 V rf + 1 

n 



tr (id^i* <8> Few)] 



\ d A - 1 

+ % (^j) " tr K| (F AA , ® F ES ,)] - tr [p~|] 

< (1 + 2 ( 1 -^ 1 )-« b «^) tr [tr^ [p^ (id^ ® Fe)]] 
+ 2^- lo ^ d+1 ^ lo ^ n ti[p 2 AE ] - tr [p|] . 



Continuing from ( |5.25[ ), we get 



< yj2(.i-tes(d+i)+ttes<QntT [p|] + 2( 1 - 1 °g( d + 1 )+? lo s c n tr [p 2 AE ] 

2(l-log(d+l)+Clogd)n _|_ 2-^(A\E) p]p \ ^ 



where we used the definition of the conditional collision entropy (equation ( |2.17[ )) in the last 
step. Again by an argument analogous to the very end of the proof of Theorem 5.2.8, we 
conclude that, 

id, 

i 



E 



py 



r (pvpae {pv) ] ) ~^®PE 



< ^/2( 1 - lo s( d + 1 )+€ lo s d )"(l + 2- H ™n( A \ E )p+z) + 2(5 + 5') , 

where z = log + jzg). Setting 5 = and 5' = e/4, we conclude that the set 
{PV : P eV,V € V d ,n} is a (k, e)-QC-extractor provided 

log d Al =n-£ log d 

< (log(d + 1) - l)n - log(l + 2- fc+lo ^ 8 / e2+1 )) + log((e/2) 2 ) 

< (log(d + 1) - l)n + min {0, k - log(8/e 2 + 1) } - 2 log(l/e) - 3 

< (log(d + 1) - l)n + min {0, fc} — 4 log(l/e) - 7. 

□ 

It seems that the parameters proved for this QC-extractor construction are not optimal. 



In fact, equation ( |5.24[ ) does not give anything non-trivial when H min (A\E) p < — (log(d + 
1) — \)n. We believe however that it should be possible to obtain a non-trivial statement for 
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any min-entropy as long as it is larger than — cn log d for some c < 1. Such an improvement 
would be quite interesting for the application we provide to two-party secure computation 
in Section 5.4 (see the discussion following Theorem 5.4.2[ ). We think that the place where 



the analysis should be improved is the inequality ( |5.27[ ). If we do not use this inequality, we 
end up with having to handle an expression of the form 



(5.28) 



SC[n] 



where As refers to the qudits of A indexed by elements of S. Because we have tr[p^ g£ ] < 
2\ s \ l °sd f or an y g 5 sum m e q ua tion ( [5.28] ) is always bounded by (d + l) n . It would 
be interesting for example to show that whenever U min (A\E) > —cn log d for some c < 1, 
then there exists some (3 < (d+ 1) such that the sum in ( |5.28[ ) is bounded by (3 n . This kind of 
statement is related to min-entropy sampling [ Konig and Rennerj |20 1 1 1 . The problem there 
is to prove that for most subsets S of [n] of size r, we have H miQ (A s \E) > ^H m - m (A\E). 



Such a statement was proved by Konig and Renner [201 1 1 in the case where A is classical. 
It would be interesting to see if such a result holds when A is a general quantum system. 



5.3 Entropic uncertainty relations with quantum side 
information 

In this section, we show how to obtain entropic uncertainty relations from general QC- 
extractors. 

5.3.1 Min-entropy uncertainty relations 

We start by proving uncertainty relations for the smooth min-entropy, which is usually 
the relevant measure in the context of cryptography. Consider the state Pxej = 
t X^=i -^A^x{UjpAEUj) <8> We note that unlike for the von Neumann entropy, 

the conditional entropy H m i n (X\EJ) p is not the same as the average j X^j=i H m i n (^C|£')pj, 
where p> = M.A-+x{UjPAEUj). However, by concavity of the logarithm, we have 

1 * 

-^H min (X|E) p3 >-log 



1 * 



. 7=1 



(X\EJ) f 



Here, we used the expression for the conditional min-entropy in <\2A 1[ ). It follows that 
proving lower bounds for H min (X\EJ) is stronger and directly gives lower bounds for 
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the average measurement entropy. For this reason, we use the conditional min-entropy 
H min (X\EJ) in place of the average entropy. 

The following lemma shows that a QC-extractor directly satisfies an uncertainty relation 
for the smooth min-entropy. The idea is simple: if the outcome of the QC-extractor is e- 
close to 1 -^ L ®pe, then by the definition of the smoothed entropies, the smooth min-entropy 
of the outcome has to be at least log cLa 1 ■ 

Lemma 5.3.1. Let pae £ S(AE), and {U\, . . . ,U t } be a set ofunitaries on A such that, 



dA 1 



PE 



< e(p) , (5.29) 



for some e(p) depending on the input state pae- Then 

n^\x\Ej) p >\ogd Al , 

where Pxej = f Yfj=i -M-A^x{UjPAEUj) <8> and M.a-^x is the measurement in the 

computational basis. 



Proof By the definition of the smooth min-entropy and the inequality ( |2.7| ) between the 
purified and trace distance, condition ( |5.29[ ) directly translates into 



n^ ) {A 1 \EJ) p > H min (Ai\EJ) id A id/ = \ogd Al , 

where p = \ Yl)=i \jYJ\j ® Ta-^a 1 (^ T jPAEU})- Recall that T performs a measurement in 
the computational basis and then discards a (classical) system called A 2 . Because we are 
only discarding a classical system, the min-entropy of the whole measurement outcome is 



at least the min-entropy in the register A 1 (see Lemma 2.2.6). As a result, 



H^\X\EJ) P > H^AxlEJW , d/ = logd Al . 



□ 

into a min-entropy 



This allows us to translate all our constructions from Section 5.2 
uncertainty relation form. Note that conversely, we can convert a min-entropy uncertainty 
relation into a QC-extractor simply by applying a CC-extractor. We state below uncertainty 
relations for mutually unbiased bases and for "single-qudit" bases. 
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Corollary 5.3.2. Let A be a Hilbert space such that d,A is a prime power. Let 
{Ui, . . . , Ud A +i} be a full set of mutually unbiased bases. For any state pae, we have 
for alle> and < 5 < e 2 /4, 



W min (X\EJ) p > log (d A + 1) + UlJAlE), - log (- 
where p XEJ = ^ Y, j M A -+ x (U j pU}) <g> 



1 



e 2 /2 - 25)' 



Proof Recall that the unitaries of the QC-extractor of Theorem 5.2.11 are composed of 
mutually unbiased bases Ui, . . . , Ud A +i but also some permutations P E V. Letting pxej = 
5^1 Ej M A -> x {UjPU]) ® Lemma|5XT]gives W min (P(X)\EJP) p > \ogd Al . But 
P is a permutation that simply relabels the measurement outcomes, and thus does not change 
the entropy. It follows that 

W min (X\EJ) p >\ogd Al . 
Now it only remains to choose the dimension d Al . We pick 



25) < 



d A + 1 

2- H Ln( A \ E ) 



Plugging this value of d Al in ( |5.19[ ), we get 

d A +i 



id, 



Pe 



Pev i=i 



< e'. 



As a result, condition ( |5.29[ ) is satisfied with e(p) = e' . The desired result follows from the 



fact that log d Al > log(l/2) + log f(e' - 25) s 



□ 



„-H 4 . (A|B) 
2 mm v 1 ' 

From the point of view of applications, the following entropic uncertainty relation 
for single-qudit measurements is probably the most interesting. It can be seen as a 
generalization to allow for quantum side information of uncertainty relations obtained by 



Damgard et al. [2007 1. The proof is very similar to the proof of the previous corollary. 



Corollary 5.3.3. Let d > 2 be a prime power. For any state p A E, we have 



W m . m (X\EJ) p > n ■ (\og(d + 1) - 1) + min { 0, H min (A\E) p - log 
- log ' 



2 1 
5^ + 1-25 



{e 2 /2-2(S + 5')Y 



where p X Ej = j^+iy; Ej M A ->x(VjpVj) <S> and {Vj}j = V d , n as defined in Theorem 
I7XZ2] 
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Proof We choose the dimension S n of the A\ system of Theorem 5.2. 12 to be 



(e'-2(5 + 5')) 



2 (iog(d+i)-i)n 



1 + 2 -^LM\e) p +z 



We also compute 

log d Al 

> — I - log I 1 ~) + n ■ (log(d + 1) - 1) - log (l + 2~ H ™^ A ^ +Z 

{e> - 2{8 + 5>)) 2 J ^ ^ 1 1 V 

-2. 



n 



■ (log(d + 1) - 1) + min {0, U s miQ (A\E) p - z) - log ( J ) 

Vie' - 2(6 + 6')) J 



Setting y^e 7 = e, we achieve the desired result. 



□ 



5.3.2 Uncertainty relations for the von Neumann entropy 

Uncertainty relations for the conditional von Neumann entropy can also be obtained as in 



Proposition 3.2.2 



Lemma 5.3.4. Let pae £ S(AE), and {U\, . . . , U t } be a set ofunitaries on A such that, 

t 



Ta-^aAUjPaeU] 



id, 



d f 



Pe 



<<p) 



for some e(p) depending on the input state pae- Then 



1 - 

- K( X \ E ) P J = H(X|EJ) p > (1 - 4e(p)) logrf Al - 2h 2 (e(p)) 



3=1 



where p j = M A ->x{UjpAEU}) and p X Ej = \ Y?j=i P J ® li)0'l- 



Proof The argument is the same as the proof of Lemma 5.3.1 except that instead 



of just obtaining a bound on the smooth entropy, we use the Alicki-Fannes inequality 
(Lemma |2.2.5| ). □ 

This lemma can naturally be applied directly to all the constructions of QC- 
extractors. For example, for a full set of mutually unbiased bases, by choosing d Al = 

(e - 25) 2 (d A + l)2 H iin(^) , we can get 



> (1 - 46) log (d A + 1) + H s min (A\E) p - log 



[e-2Sy 



2h 2 (e) 
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Using the asymptotic equipartition property for the smooth min-entropy, we can obtain an 
uncertainty relation only in terms of von Neumann entropies. 



Proposition 5.3.5. Let d > 2 be a prime power, and {Vo, V\, . . . , Vd} define a complete set 
of MUBs ofC d . Consider the set of measurements on the n audit space A defined by the 
unitary transformations {V = V Ul (g) • • • <g> V Un \ui G {0, . . . , d}} that we index by numbers 
from 1 to (d + l) n as {Vj}j £ {i t ,,,^d+i) n }- Then for all pae G S(AE), we have 



{d+l) n 



H(X\E)^>n-(log(d+l)-l)+mm{0,H(A\E) p } 



where p j = M.A->x{VjpVh. 



Proof Using the QC-extractor for the single-qudit MUB of Theorem 5.2. 12 with 



dA! 



2 (log(d+l)-l)n 

1 + 2" H min^l®), 



we get 



(d+ir 

(dTTj» g H( * |B) " 

> (1 -4e) ^n(log(d + 1) 

-2h 2 (e) 

> (1 - 4e) (log(d + 1) 

-2We) . 



1) - log (l + 2^-^)^) _ i og ( - l) 



l) + m in{0,H^ in (A|E) p | p }-2-log 



[e - 2W) S 



(5.30) 



Here, we use a version with H 5 min (A\E) p \ p instead of H 5 miD (A\E) p that is in the statement of 
Theorem 5.2.12 The expression with H^ ain (A\E) p \ p is however easily obtained by looking 



at the proof. Evaluating equation ( |5.30[ ) on the m-fold tensor product of the original input 
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system d n , and multiplying both sides with 1/m, we obtain 

(d+ir 

— - y: h(xie )p , 



> (1 - 4e) ( n (log(d + 1) - 1) + min <j 0, -U d min (A\E) p ^ lp , 



1 -4e 



id 



2 + log 



2h 2 (e) 



> (1 - 4e) n (log(d +!)-!)+ min { 0, H(A\E) P - 



VI -2 log 5 (2+|) 



m 



l-Ae 



ni 



2 + log 



1 



2h 2 {e) 



m 



Here we used the fully quantum asymptotic equipartition property for the smooth 
conditional min-entropy (Lemma 2.2.7| >. By first letting m — > oo and then e — > 0, we 
obtain the desired result. □ 

Note that for n = 1, this again gives an uncertainty relation for the full set of MUBs 
only in terms of von Neumann entropies 

d+l 

d — J^HiXlE)^ >log(d+l)-l + min{0,H(A|£7) p } . (5.31) 



In the special case when E is trivial, we arrive at 



, d+l 

— ^H(X) pJ >log(rf+l)-l, 



(5.32) 



which is the best known bound for a full set of MUBs and general d [Ivanovic 1992[ Larsen[ 
1990[ |Sanchez[ |1993| . But without side information and when d is even, this was improved 



by |Sanchez-Ruiz| Q19951 to 

d+l 



For one qubit (d = 2) the latter gives 2/3 (which is best possible for three measurements), 
whereas our bound gives log 3 -1« 0.585. 



5.4 Applications to security in the noisy-storage model 



We use the min-entropy uncertainty relation of Corollary 5.3.3 to prove the security of secure 
function evaluation in the noisy storage model. 
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5.4.1 Introduction 



Consider two mutually distrustful parties Alice and Bob who want to collaborate to perform 
a distributed computation in a secure fashion. Typically, Alice holds x and Bob holds y, and 
they both want to figure out f(x, y) in such a way that each party does not learn too much 
about the other party's input. Unfortunately, if we are looking for information theoretic 
security, it turns out that even quantum communication does not allow us to solve general 



two-party secure function evaluation [Lo 1997 1. For example, it is known that only weak 



variants of (information theoretically secure) bit commitment are possible; see Section |4X6 
and p' Ariano et alj [2007| |Loand Chauj [T997| |Mayersj [T997| . 

The natural question then is under which assumptions can we obtain secure protocols for 
two-party computations. Classically, these assumptions typically limit the computational 
power of a party. One then assumes that a particular problem requires a lot of computational 
resources to solve in some precise complexity theoretic sense, and then one proves using 
this assumption that a cheating strategy needs more computational resources than what is 
available. It goes without saying that the computational assumptions are almost always not 
proven. As computation is such a complicated notion to understand, a natural question is 
then whether one can make simpler assumptions on the devices of the parties. 

Classically, it is possible to obtain security when we are willing to assume that the 
adversary's memory is limited in size [Cachin and MaurerJ 1997 Maurer[ |1992 |. But 



unfortunately, Dziembowski and Maurer [2004| showed that any classical protocol in which 
the honest players need to store n classical bits to execute can be broken by an adversary 
who can store 0(n 2 ) bits. 

Motivated by this unsatisfactory gap, it was thus suggested to assume that the attacker's 



quantum storage was bounded [ |Damgard et al.[ |2005[ [2007 1. The central assumption in 
this model is that during waiting times At introduced in the protocol, the adversary can 
only store a limited number of qubits N. This is the only assumption on the adversary, 
who is otherwise all powerful. In particular, he can store an unlimited amount of classical 
information, and perform any operation instantaneously. The latter implies that he is able 
to perform any encoding and decoding operation before and after using his memory device. 
Konig et aL] ]2012[ | based on Dam gard et al.| [ |2005[ |2007J constructed a protocol for bit 
commitment using BB84 encoded qubits that is secure whenever Bob is only allowed to 
store N qubits while Alice and Bob exchange more than (roughly) 2N qubits during the 
protocol. 

A natural question then is to characterize the property of Bob's storage device that allows 
him and Alice to implement secure two-party function evaluation. The noisy-storage model 
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introduced by Schaffner et al. [2008], Wehner et al. [2008 1 is a generalization of the bounded 
storage model. As in the bounded storage model, during waiting times At, the adversary 
can only keep quantum information in his quantum storage device T. Mathematically, such 
a quantum storage device is simply a quantum channel T : S{Ji\a) — > S(T-L out ) mapping 
input states on the space "H; n to some noisy output states on the space H OVL f An example 
of a storage device would be iV <i-dimensional identical memory cells, so that T takes the 
form T = J\f® N . In particular, in the bounded quantum storage model, the adversary is 
only allowed to store N qubits, which means T 



idf" 



IDamgard et al. 



2005 



2007 1 . The 



kind of statement one proves in this framework is of the following form: Provided T cannot 
be used to reliably transmit n bits or qubits of information, the protocol V n is secure. We 
describe precise versions of this statement in the following sections. 



5.4.2 The noisy storage model 



Weak string erasure 

Konig et al. [2012 1 showed that bit commitment and oblivious transfer]^] and hence any two- 
party secure computation, can be implemented securely against an all-powerful quantum 
adversary given access to a simple primitive called weak string erasure (WSE). Hence, it 
suffices to construct a protocol for WSE that is secure under the assumption that the storage 
devices of the parties are noisy, and we will follow that approach here. 

The motivation behind the weak string erasure primitive is to create a basic quantum 
protocol that builds up classical correlations between Alice and Bob which are later used 
to implement more interesting cryptographic primitives. Informally, weak string erasure 
achieves the following task. WSE takes no inputs from Alice and Bob. Alice receives as 
output a randomly chosen string X n = Xi, . . . , X n e {0, l} n . Bob receives a randomly 
chosen subset X C [n] and the substring Xj of X n corresponding to the bits in positions 
indexed by X. For each i E [n\, we decide independently to put i in the set X with probability 
p. Originally, p = 1/2 [Konig et al., 2012], but any probability < p < 1 allows for 



the implementation of oblivious transfer [Mandayam and Wehner, 2011 1. The security 



requirements of weak string erasure are that Alice does not learn X, and Bob's min-entropy 
given all of his information B is bounded as H m i n (X\B) > Xn for some parameter A > 0. 
To summarize all relevant parameters, we thereby speak of an (n, A, e, p)-WSE scheme. 
The precise requirement of security is stated in terms of (approximate) indistinguisha- 



6 Oblivious transfer is an important primitive that was shown to be complete for two-party computation by 



Kilian 1 1988 1. The exact definition is not important here. 
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bility between the states obtained in an execution of the real protocol and some ideal states. 
We should highlight that the notion of distance we use here is the trace distance, which is 
more relevant than the purified distance in the context of cryptography because of its inter- 



pretation it terms of distinguishing probability [Helstrom, 1967 1. It will be convenient to 
express the distribution of the random subset X by a density operator: 

*(p) = P m 0- ~ PY~~ m \Z){Z\ ■ (5-34) 

XC2M 

Definition 5.4.1 (Non-uniform WSE). An (n, X,e,p)-weak string erasure scheme is a 
protocol between A and B satisfying the following properties: 

Correctness: If both parties are honest, then there exists an ideal state ox n xx x such that 

1. The joint distribution of the n-bit string X n and subset X is given by 

ax*x= 1 ^®y( P ), (5.35) 

2. The joint state pab created by the real protocol is equal to the ideal state: pab = 
cx n xx x where we identify (A, B) with (X n ,IXx). 

Security for Alice: If A is honest, then there exists an ideal state <Jx n B' such that 

1. The amount of information B' gives Bob about X n is limited: 

-H min (X™|£?% > A (5.36) 

n 

2. The joint state pab 1 created by the real protocol is e-close to the ideal state in trace 
distance, where we identify (X n , B') with (A, B'). 

Security for Bob: If B is honest, then there exists an ideal state <J A >x n x where X n £ 
{0, 1}™ andX C [n] such that 

1. The random variable I is independent of A'X n and distributed over 2' n l according to 
the probability distribution given by ( 5.34J ): 



a A'x^x = a A'x« ® *(p) • (5.37) 

2. The joint state p^ b created by the real protocol is equal to the ideal state: pa 1 b = 
a A'(XXz)> where we identify (A', B) with (A',XXx). 

Note that any positive A allows one to build a protocol for bit commitment and oblivious 
transfer but of course, larger values of A naturally lead to better parameters. To give an 



example, iMandayam and Wehner [201 1 1 prove that using a (n, A,e, l/3)-WSE, one can 



obtain an 1-2 oblivious transfer of strings of length about A/24 ■ n. 



5.4. Applications to security in the noisy-storage model 
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Protocol for weak string erasure 

We now construct a very simple protocol for weak string erasure, and prove its security 
using our bitwise QC-randomness extractor. The only difference to the protocol proposed 
in Konig et al. [2012] is that we will use three MUBs per qubit instead of only two. For sake 
of argument, we state the protocol in a purified form where Alice generates the EPR-pairs 
and later measures them. Note, however, that the protocol is entirely equivalent to Alice 
creating single qubits and sending them directly to Bob. That is, honest Alice and Bob do 
not need any quantum memory to implement the protocol below. In the purified protocol, 
the choice of bit she encodes is determined randomly by her measurement outcome in the 
chosen basis on the EPR-pair. The protocol is illustrated in Figure |5TTj 

Protocol Weak string erasure (WSE): Outputs: x n E {0,1}" to Alice, (I, z^) E 

2N x {0,1}I X I to Bob. 

1. Alice: Creates n EPR-pairs $, and sends half of each pair to Bob. 

2. Alice: Chooses a bases-specifying string 6 n Er {0, 1, 2} n uniformly at random. 
For all i, she measures the i-th qubit in the basis 6>j to obtain outcome Xj. 

3. Bob: Chooses a basis string 9 n Er {0, 1, 2} n uniformly at random. When 
receiving the i-th qubit, Bob measures it in the basis given by §i to obtain outcome 

Both parties wait time At. 

4. Alice: Sends the basis information n to Bob, and outputs x n . 

5. Bob: Computes X = {i E [n] \ 9i = 6>.j}, and outputs (X, z^) := (X, xj). 



The proof of correctness of the protocol, and security against dishonest Alice is identical 



to |K6nig et al.| [|2012'|, Mandayam and Wehner| p0TT| . It essentially follows from the fact 
that Bob never sends any information to Alice. The main difficulty lies in proving security 
against dishonest Bob. Before embarking on a formal proof, let us first consider the general 



form that any attack of Bob takes (see Figure 5.2). First of all, note that the noisy-storage 
model only assumes that Bob has to use his storage device during waiting times At. Let Q 
denote Bob's quantum register containing all n qubits that he receives. Note that since there 
is no communication between Alice and Bob during the transmission of these n qubits, we 
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A* 

* ,f = [i:® =0} 

0" 

Figure 5.1: Illustration of the protocol for weak string erasure 

can without loss of generality assume that Bob first waits for all n qubits to arrive before 
mounting any form of attack. 

As any operation in quantum theory is a quantum channel, Bob's attack can be described 
by a quantum channel 8 : S{Q) — > S{H- in ® M). This map takes Q, to some quantum state 
on the input of Bob's storage device (H m ), and some arbitrarily large amount of classical 
information (M). For example, S could be an encoding into an error-correcting code. By 
assumption of the noisy-storage model, Bob's quantum memory is then affected by noise 
T : <S("Hin) — > S(T-L out ). After the waiting time, the joint state held by Alice and Bob in the 
purified version of the protocol, i.e., before Alice measures, is thus of the form 

Pabm = icU ® [{? ® id M ) o S] ($® n ) , (5.38) 

where $ is an EPR-pair. After the waiting time, Bob can perform any form of quantum 
operation to try and recover information about X from the storage device. 

5.4.3 Security and the quantum capacity 

Recall from the definition above that our goal is to show that Yl e mia {X\BMQ) p > A • n 
for some parameter A > 0. Although it was always clear that security should be related 
to the channel's ability to store quantum information, i.e., the quantum capacity of J 7 , 
proving this fact has been a challenge for several years. Partial progress to answering this 
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Figure 5.2: Any attack of dishonest Bob is described by an encoding attack 8 and a guessing 
attack, since for classical X the min-entropy H m - m (X\BMQ) is directly related to the 
probability that Bob guesses X. As we will see below, it is however sufficient to consider 
how well a decoding attack V can preserve entanglement between Alice and Bob, where V 



acts on BM on the state pabm from equation (5.38) 



question was made in Koni g et ah] [ |2012[ and |Berta et al.| [2011a], where security was 
linked to the classical capacity and entanglement cost of J 7 , respectively. We informally 
state these results. Both of them prove security of the protocol described above except that 
two mutually unbiased bases are chosen instead of three. Konig et al. [2012 1 prove the 
protocol is secure whenever for some R < 1/2, the channel T is such that any attempt 
to transmit nR classical bits across J 7 is bound to fail with probability exponentially close 
to 1. Berta et al. [201 la | consider channels of the form T = Af® N and they show that 
the protocol is secure provided N ' E c(- N ') [ s bounded away from 1/2, where Ec(N) is the 
entanglement cost of the channel J\f. The entanglement cost is the amount of entanglement 
needed to simulate the channel J\f when classical communication is given for free. E C (N) 
is a measure of how good the channel is for sending quantum information but it is in general 
larger than the quantum capacity. 

Note that our objective is to make a statement about some classical information X 
obtained by measuring A in a randomly selected basis 6. That is, we effectively ask for 
an uncertainty relation for these measurements. Previously, however, suitable uncertainty 
relations were only known for classical side information. The missing ingredient was 
an uncertainty relation with quantum side information, linked to the channel's ability to 



preserve quantum information. Here is where our uncertainty relation of Corollary 5.3.3 
comes in. 



To state the result, we first define the notion of channel fidelity introduced by Barnum 
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et al. [2000 1 which is perhaps the most widely used quantity to measure how good a channel 
is at sending quantum information. For a channel J\f : S(Q) — > S(Q'), the channel fidelity 
F c quantifies how well A^ preserves entanglement with a reference: 



F C {M) = F($ QA , [Af ® id A ] 



(5.39) 



where $qa is a maximally entangled state. For example, one way of defining the (one- 
shot) quantum capacity with free classical forward communication of a channel T is by 
the maximum of \ogd A over all encodings £ : S(Q) — > <S("% n x M) and decodings 
V : S(B <g> M) -> S{Q') such that F C {V o (J 7 ® id M ) o 5) > 1 - e for small enough 
e. Here idM refers to a noiseless classical channel. 

Theorem 5.4.2. Let Bob's storage device be given by J 7 : S(H in ) — ► 5(5). Le? e G (0, 1), 

k = 8 log(4/ e), A < log 3 — 1. Assume that we have 



maxF c (V o (J 7 ® id M ) o £) < 2 -( 2 - lo s 3 + A )™- K 



(5.40) 



where the maximum is over all quantum channels £ : S ((C 2 ) 0n ) — > S(H- m ® M) and 
V:S(B®M) ^5((C 2 )® n ). 

Then, Protocol 1 implements a (n, A, e, l/3)-WSE. 

Proof The proof of correctness of the protocol, and security against dishonest Alice is 



identical to |Konig et ah] ]2012| |, |Mandayam and Wehner| p011[ | and does not lead to any 
error terms. 

Using the uncertainty relation of Corollary |5 .3 .3 , with E = BMQ on Pabmb we g et 



W min (X\BMQ) p > (log(3) - l)n + min{0, H mil (A|5M9) p } 



(5.41) 



Note that because 6 is independent of ABM, we have H min (A\BMQ) p = H min (y4|i?M). 



To place a bound on (5.41 ), we would like to obtain a lower bound on 



mmU min (A\BM) p , 

where the minimization is taken over all encoding attacks as described above. We will use 



condition (5.40) to obtain such a lower bound. We now use an operational interpretation of 



the conditional min-entropy due to Konig et al. [2009|: 



(A\ BM) p = - log d A max F($ AA ,,id A ® A(p ABM )) 

**■ R A/f_i. Al 



(5.42) 
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where <&aa> is the maximally entangled state accross AA' . That is, the min-entropy is 
directly related to the "amount" of entanglement between A and E = BM. The map A 



in ( |5.42| ) can be understood as a decoding attack V aiming to restore entanglement with 
Alice. Further, note that \A'\ = \Q\ and we can equivalently upper bound 



maxF ($ AB , id A <g> [V o (J - ® id M ) ° S] ($aq)) = maxF c (£> o ( ® id A/ ) o 5) 



(5.43) 



By the assumption on the storage device J 7 , we obtain that for any encoding E and 
decoding V attack of Bob 

H min (A\BM) p > - log 2 n F c (V o {F <g, id M ) o £) 
> — (n — (2 — log3)n — Xn — k) 
= —(log 3 — l)n + An + k. 



Then, using the uncertainty relation for 3 MUBs per qubit of Corollary 5.3.3 (with 5 = 

and 5' = e 2 /8), we get 

W min (X\BMQ) p > Xn - log (2 • 64/e 4 + l) - log(16/e 4 ) - 2 + 81og(4/e) > Xn. 



□ 



Note that ideally, we would want a statement of the form: if 



maxF c (V o ® id M ) o < 2 



-An 



(5.44) 



then the Protocol 1 implements (n, A, e, l/3)-WSE. Unfortunately, we have a stronger 
constraint in equation ( ]5.40| ) with an additional positive factor of 2 — log 3. If we wanted 



to prove security with the condition ( |5.44[ ), we would need to prove a stronger uncertainty 
relation than in Corollary 5.3.3 In particular, observe that if H m - m (A\E) < — (log(3) — l)n, 



our uncertainty relation does not give any useful bound. It would be very interesting to 
improve it so that we can get a non-trivial lower bound for any H m i n (A\E) > —cn with 



c < 1. Note that, as in [Manda yam and Wehner[ |2011[ , we can get arbitrarily close to 
proving security under a condition of the form (|5.44[) by using higher dimensional encodings 



(i.e., using the uncertainty relation of Corollary 5.3.3 with larger values of d), but it becomes 
hard to implement the protocol with current technology. 
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Example: bounded storage 



We look at the simple case where T = id 07V , known as the bounded storage model. In this 
case, it is simple to prove that if you try to send more than iV qubits of information using J 7 , 
the channel fidelity will decrease exponentially in n [Be rta et aL}|2011a |. 



Lemma 5.4.3. For n > N, we have 



maxF c (D o (idf N <g> id M ) ° S) < 2 



-n+N 



where the maximum, is over all quantum channels £ : S ((C 2 )®") — > S((C 2 )® N £§> M) and 
V : S((C 2 )® N ® M) ->• S((C 2 ) 0n ) 

Proof Consider a decomposition of the encoding and decoding map in terms of their 
Kraus operators as £{p) = Y,j E jP E j and ^(p) = Hk,m D k,™pD\ jm where D k>m = 
Dk, m ® \m)(m\. Note that without loss of generality, the latter has this form since it is 
processing classical forward communication on M. Let n fc m denote the projector onto the 
subspace that D kjfn maps to. We can now bound 

F C (V o (id®* ® id M ) o £) 

i \ 1,1' jkm / i 



^(EE^^m^i^^i^Uio 
id \ /id 



1,1' jkm 



£ 

jkm 



tr 



E k,m E j 



<E tr 

jkm 
<- 2-n+N 

__ r)~n+N 



2 n/2 
id 



2 n/2 



n 



( ^ ) 3 ^k,m 



nt 



tr 



id 



tr 



_ „ /id 

\2 n 



where in the third equality, we used the cyclicity of the trace and fact that Yi myk D k rn = F) k ,m- 
We used the Cauchy-Schwarz inequality for the first inequality, and the fact that tr[n fc m ] = 
rank[/)fc,m] = rank[Dfc,m <8> |m)(m|] < 2 N . For the last equality, we used the fact that V and 
£ are trace preserving. □ 
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It then follows from Theorem 5.4.2 that if N/n is bounded away from log 3 — 1, then the 
described protocol is secure. We note that the parameters obtained here are slightly worse 
than what was obtained in Mandayam and Wehner [201 1|, where security was shown to 
be possible for N/n bounded away from 2/3 instead of 0.585. This is due to the fact that 
the lower bound 0.585 in our uncertainty relation stems from an expression involving the 
collision entropy rather than the Shannon entropy. We emphasize however, that due to finite 
size effects our bound is still better in the practically relevant regime of n < 10 6 (for the 
same security parameters). 



5.5 Concluding remarks 

In this chapter, we considered uncertainty relations that take into account an adversary that 
is potentially entangled with the system being measured. As in Chapter |3} the measure of 
uncertainty we used is the distance to the uniform distribution. But in addition, we also 
asked for the joint state of the outcome together with the system of the adversary to be close 
to a product state. The advantage of this measure is that we were able to apply techniques 
similar to the decoupling theorem. We first use a Holder type inequality to work with the £ 2 - 
norm, which is much easier to handle. Then, we use symmetry properties of the unitaries to 
obtain bounds on these norms. This allowed us to analyse several constructions of basis, but 



as we saw in Proposition 5.2.10 this technique cannot be used to show uncertainty relations 
for small sets of bases. Handling quantum side information using the l\ norm directly seems 
like a difficult technical challenge. In the context of CC-extractors, there are constructions 



that have a small seed QDe et al.[ [20091 |Konig and Terhal[ |2008[ |Ta-Shmaj |2009l . It would 



be interesting to use these ideas to construct QQ or QC-extractors with small seed. 

We then used one of our uncertainty relations for single-qubit measurements to relate the 
security of two-party secure function evaluation to the capacity of the storage device to store 
quantum information reliably. We showed that provided the storage device is "very bad" at 
storing n qubits, there is a protocol for performing secure function evaluation in which Alice 
and Bob communicate n qubits. This is the first time the security is related to the capacity of 
the channel to send quantum information. As explained in the discussion following Theorem 



5.4.2 this is not totally satisfying, but is hopefully a step towards proving the ideal result 
which would be that we get security as soon as the storage device is just "bad" at storing 
quantum information. 



Chapter 6 
Discussion 



6.1 Summary 

In this thesis, we considered uncertainty relations for several observables and their 
applications to quantum information theory. We have first seen how the problem of finding 
uncertainty relations is closely related to the problem of finding large almost Euclidean 
subspaces of ^1(^2). Even though we did not use any norm embedding result directly, many 
of the ideas presented here come from the proofs and constructions in the study of the 
geometry of normed spaces. In particular, we obtained an explicit family of bases that satisfy 
a strong metric uncertainty relation by adapting a construction of Indyk ]2007 |. Moreover, 



using standard techniques from asymptotic geometric analysis, we were able to prove a 
strong uncertainty relations for random bases. 

We used these uncertainty relations to exhibit strong locking effects. In particular, we 
obtained the first explicit construction of a method for encrypting a random n-bit string in an 
n-qubit state using a classical key of size polylogarithmic in n. Moreover, our non-explicit 
results give better key sizes than previous constructions while simultaneously meeting a 
stronger locking definition. In particular, we showed that an arbitrarily long message can be 



locked with a constant- sized key. Our results on locking are summarized in Table 4.1 We 
should emphasize that, even though we presented information locking from a cryptographic 
point of view, it is not a composable primitive because an eavesdropper could choose to store 
quantum information about the message instead of measuring. For this reason, a locking 
scheme has to be used with great care when composed with other cryptographic primitives. 

We also used uncertainty relations to construct quantum identification codes. We proved 
that it is possible to identify a quantum state of n qubits by communicating n classical bits 
and 0(log(l/e)) quantum bits. We also presented an efficient encoder for this problem that 
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uses 0(\og 2 (n/e)) qubits of communication instead. The main weakness of this result is 
that the decoder uses a classical description of the state \ip) that is in general exponential in 
the number of qubits of\(p). One cannot hope to avoid this difficulty because, as shown by 
Winter [2004|, if Bob was to receive a copy of the quantum state \<p), the task of quantum 



identification becomes the same as the task of transmission of quantum information. 

We then considered uncertainty relations that hold even in the presence of quantum side 
information. For this, we defined QC-extractors which are sets of unitary transformations 
that have the following property: for any state pae for which H m - m (A\E) p is sufficiently 
larger than — logd^, applying a typical unitary on A followed by a measurement of some 
prefix of the output gives an outcome that is almost uniformly distributed and independent 
of E. Such a definition fits in the general framework of the decoupling theorem of 
Dupuis|p010[ l, |Dupuis et al.| [ |2010a[ and we use similar techniques to analyse the different 



constructions we propose; see Table |5.1| for a summary. All these constructions lead to 
strong min-entropy uncertainty relations. We used them to prove the security of two- 
party function evaluation under a condition on the capacity of the parties' storage device to 
maintain quantum information. We also proved von Neumann entropy uncertainty relations 
with quantum side information for a full set of mutually unbiased bases, thus generalizing 



the results of Ivanovic [1992], Sanchez [ 1993 1. 



6.2 Open questions 



We expect to see more applications to quantum information theory of the tools used in the 
theory of pseudorandomness. An interesting open question is whether these techniques can 
be helpful in constructing explicit subspaces of highly entangled states. Such subspaces are 
related to one of the central problems in quantum information theory: the classical capacity 
of a quantum channel. An explicit construction of such spaces would lead to explicit 
channels that violate additivity of the minimum output entropy [ [Hastings , 2009 [ Hayden and 



Winter 2008 1, but also explicit protocols for superdense coding of quantum states [Harrow 



et al. , 2004 1 . As shown by |Aubrun et al. [ 2010[ 2011 1, this problem amounts to finding 



explicit almost Euclidean sections for matrix spaces endowed with Schatten p-norms, which 
corresponds to the £ p norm of the singular values. In addition to the applications in quantum 
information theory, such almost Euclidean sections are closely related to rank minimization 



problems for which the nuclear norm heuristic allows exact recovery JDvijotham and FazeT 
[20101 . 

Addressing this question is related to finding explicit constructions of (0, e)-QQ- 
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extractors with output size close to n/2 (which is optimal) and with small (say sublinear 
in n) seed size. In fact, by applying the unitaries of the QQ-extractor in superposition, all 
input pure states get mapped to highly entangled output states. More generally, it would be 
very interesting to understand what kinds of sets of unitaries other than unitary two-designs 
satisfy the decoupling theorem. Is it possible to use a number of unitaries that is smaller 
than the output dimension? Even non-explicit constructions would be interesting. In the 
special case of QC-extractors, do the metric uncertainty relations of Chapter [3] remain valid 
in the presence of quantum side information? 

From a computational complexity point of view, I think it would be also interesting to 
study the hardness of some natural problems related to uncertainty relations. For example, 
given a set of unitaries as an input, can one compute efficiently how good uncertainty 
relations they define? Does quantum side information make things significantly harder? 

We might also wonder whether the decoupling theorem, or the different notions of 
quantum extractors defined here have applications to complexity theory, just as classical 
extractors have applications in derandomization for example. 

There is also an intriguing general question on the power of the second moment. We 
know that pairwise independent permutations are good (classical) extractors. We also know 
that a full set of mutually unbiased bases — which defines a state 2-design — satisfies good 
uncertainty relations. In addition, the decoupling theorem says that unitary 2-designs satisfy 
a strong decoupling statement. All these results are based on a second moment argument. 
Is there a precise way of unifying these results? 

On the cryptography side, are there cryptographic applications of locking schemes? For 
example, suppose that we authenticate the message before encoding it. Then the receiver can 
check whether an eavesdropper has altered the encoded message. Conditioned on passing 
the authentication test, is it true that the state held by the eavesdropper is independent of 
the message? If this is the case, then the security guarantee would be composable and we 
could use a locking scheme as a key distribution protocol that only uses communication 
from Alice to Bob. 



Appendices 
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Appendix A 
Deferred proofs 



A.l Existence of metric uncertainty relations 



In this section, we prove the lemmas used for proving Theorem 3.3.2 



Lemma |3.3.3| (Average value of if (£2) on the sphere). Let \(f) AB be a random pure state 



AB 



on AB. Then, 

E{||b) 



AB I 



B 



T(d A d 



B) 



> 



r(d B ) r(d A d B , , 

where T is the Gamma function T(z) = J °° u z ~ 1 e~ u dufor z > 0. 



1 - ^-\fdA- 

d B 



Proof The presentation uses methods described in Ball [ 1997 1. 

Observe that the random variable || |<^) AB ||i2 is distributed as the if A (£l dB ) norm of 
a real random vector chosen according to the rotation invariant measure on the sphere 
§>2d A o! s -i. We define for integers n and m the norm t\{t™) °f a rea l n + "^-dimensional 



vector {vij}ie[n],je[m} as for the complex case (Definition 3.2.3) 



J *,3 I 



Note that we only specify the dimension of the systems as the systems themselves are not 



\l d 1 A (l 2d B)- 



relevant here. In the rest of the proof, we use || • || 12 as a shorthand for | 
Our objective is to evaluate the expected value E {||0|| 12 } where has rotation invariant 
distribution on the real sphere § s_1 and s = 2d with d = dAd B - For this, we start by relating 
the E{||Z||i 2 } and E{||0||i 2 } where Z has a standard Gaussian distribution on IR S . By 
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changing to polar coordinates, we get 

3 2 Z^i=l x i 



E{\\Z\\»} = fjx\\ a ^^ds 




lr9h2 j2^ r(| + i) r dr 



where a is the normalized Haar measure on 8 s 1 . The term fpq-f) is the surface area of the 



a/2 o s/2 

sphere in dimension s — 1. Using the equality T(z + 1) = zY{z), we have f^f+i) — T(iy- 
Thus, 

o s/2 /-oo 

(27T) s /^l (2) Jo Js-i 



2-/2-ir( 



2/ 1 ^0 



We then perform a change of variable u = r 2 /2: 

e{hzii 12 } - 2s/2 -i r( , ) r ^ {s ~ me ~ udu ■ 1^ ww^w 



12 



dcr(0) 



Now, we compute 



^2> 

2 (--i)/2 r (-=l + !) 

2-/ 2 - 1 r(§) 

^^•E{||6|| 12 }. (A.1) 



-ill-HI 2 



E{||Z|| 12 }= / ||x|| 127 — r^dx 
d A p --\\x\\% 

where we decomposed x — (x 1: . . . , where e IR 2c!b . As all the terms of the sum are 
equal 

r e -|lko|ll / r e -|lki|ll 

E{||Z|| 12 } = d A / ||x || 2 — — rf^ / 

J R 2d B (2ir) a B yj R i<i B (2n) d B 

\/2T( 2dB+1 ) f 
= d A V 2 ; / ||0|| 2 <M0) 
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r(d B ) 
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To get the second equality, we use the same argument as for equation ( |A.1| ). We conclude 
using equation ( |A.1[ ) 



e{|||^)II^)} = E{||0|| 12 } 

T(d B + ±) T(d A d B ) 



r(dfl) v(d A d B + \y 

We now prove the inequality in the statement of the lemma. We use the following two 
facts about the Y function: logT is convex and for all z > 0, F(z + 1) = zT(z). The 
first property can be seen by using Holder's inequality for example and the second using 
integration by parts. Using these properties, we have 

log r Tar + < ^lo g r(x) + ^lo g r(x + l) 
= 2 log (xT(x) 2 ) 

= log (y/xT(x)) . 

Thus, r ^) 2 ' — V^- Similarly, we have r ^\) < \J x — \ which implies that > 
x - \ when writing T(x + 1/2) = (x - l/2)T(x - 1/2). 



2 

We conclude that 



E 



\^\\^)}^ d ^f^7d7d 



B 



I A ■ 



2d, 



□ 



Lemma 3.3.4 (Levy's lemma). Let f : C d — > R and i] > be such that for all pure states 

\<p x ), 1^2) in C d , 

|/(ki))-/(|^ 2 })| <v\\Wi)-Mh- 

Let \(p) be a random pure state in dimension d. Then for all < 5 < rj, 

5 2 d 



Pr{|/(h9»-E {/M} I >5}<4exp 
where c is a constant. We can take c = 9ir 2 . 



erf 
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Proof We can instead study the concentration of a Lipschitz function on the real sphere 
§2<2-i_ N t e ma t me induced function (that we also call /) is still a-Lipschitz. Concentration 
on S 2d_1 can be proved in a simple way using concentration of the standard Gaussian 



distribution. This proof is due to Maurey and Pisier and can be found in [Milman and 



Schechtman] |1986[ Appendix V]. Specifically, using [Mil man and Schechtman[ |1986 
Corollary V.2], we get 



Pr{|/(Z)-E{/(Z)}|>t}<2exp 



< 4exp 



5' 



18vrV 7 

2^2 



+ 2exp 



2d 



2vr 2 



9ir 2 r] 



In the notation of the proof of [Milman and Schechtman 1986, Corollary V.2], we have 
set 5 = 1/2. This can be done because using the same arguments as in the proof of 
Lemma 3.3.3[ we can show that the expected £ 2 norm of the standard Gaussian distribution 



in dimension n at least \/2 



n 



\ > y/n for n > 2. 



We used this version of Levy's lemma because it has an elementary proof and it gives 
directly the concentration about the expected value. Different versions involving the median 
of / and giving better constants can be found in [Milman and Schechtman 1986, Corollary 
2.3] or [|Ledoux[ |2001[ Proposition 1.3] for example. □ 



Lemma 3.3.6 (<5-net). Let 5 E (0, 1). There exists a set Af of pure states in C d with 
|A/"| < (3/5) 2d such that for every pure state \if) E C d (i.e., \\\4>)\\2 = 1), there exists 
\if>) 6 JV such that 

' \2<S. 



Proof A proof can be found in [Hayden et al. 2004[ Lemma II.4]. We repeat it here for 
completeness. Let Af be a maximal set of pure states satisfying || — |-0 2 ) lb > 8 for all 
pure states \4>i), \ip2) G Af. This set can be constructed iteratively by adding at each step 
a state that is at distance at least 5 from all states already in the set. First, we show that 
this procedure terminates by bounding the size of such a set. We do this using a volume 
argument. For this it is simpler to look at vectors \if) E Af as real vectors in dimension 2d. 
The open balls of radius 5/2 centered at each \tp) E Af are disjoint and are contained in the 
open ball of radius 1 + 5/2 centered at the origin. Therefore, 



\Af\ 



2<l 



< 1 



2,1 



< 



2,1 
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We conclude by observing that such a set has the desired property. In fact, if there exists a 
state e H such that for all \$) G M, \\ - || 2 > 8, then can be added to M and 
contradict the fact that J\f is maximal. □ 



Lemma 3.3.5 (Concentration of the average). Let a,b > 1, 5 G (0, 1) and t a positive 



integer. Suppose X is a random variable with mean satisfying the tail bounds 



Pr {X>rj} < ae" fer?2 and Pr {X < -r]} < ae~ hr]2 



Let Xi, . . . X t be independent copies of X. Then if5 2 b > 16a 2 7r, 



Pr 



1 * 

t5> 



k=l 



> S > < exp - 



5 2 bt 



Proof For any A > 0, using Markov's inequality 



Pr 1 J2 Xk - tS ( = Pr { exp ( A J2 Xk ) - exp ( Attf ) 



. k=l 



k=l 
t 



<E<^exp \J2 X k 



-XtS 



E{e xx } 



k=l 

XX 1 * -\ts 



We now bound the moment generating function E {e AX } of X using the tail bounds. 



/■oo 

E{e AX } = / Pr {e xx > u) du 
Jo 



~Prlx> l ™\du 



Pr <X > 



A 
In w 



A 



du + / °° Pr | X > ^ ^ du 



A 



< 1 + / a exp 



1 + a I exp ( — — - ] e z dz 



bin 2 u 



du 
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by making the change of variable z = log u. 

E{e xx } <l + a exp 



b ( \ 2 V A 2 



A 2 \ Z ~2bj + Tb Uz 



1 + a ( 



-6)^/>(4> 



v^A /A 2 
= 1 + a — • exp — 
v 7 ^ \46 



/ f\ 2 \ 
< 2 max 1, a — =- ■ exp — 

V Vb Vb), 

We choose A = 25b (this is not the optimal choice but it makes expressions simpler), 

Pr jj^X fc > t<J J < max ^2*, ( 2a ^) ' ex P (^) j exp (_AM) 

= max (exp {-25 2 bt + tin 2) , exp (o" 2 6t - 2o" 2 at + t In (4a y/irSVb)^ ) 
= max jexp ( (-2o" 2 6 + In 2) t) , exp ( (-5 2 & + hi^ay/nSVb)^ ij } . 

Claim. For all c > 1 and rr > c 

1 x 
-ln(cx) -x < --. 

The function x (->■ | — | ln(cx) is increasing for x > 1. It suffices to show that it is 
nonnegative for rr = c. To see that, we differentiate the function y h> y — ln(y 2 ) to prove 
that for all y > 1, we have y — ln(y 2 ) > 0. This proves the claim. 

Using this inequality, we have for 5 2 b > lQa 2 n, 

-5 2 b + kv^ayfrSVb) < -— and - 25 2 b + In 2 < - — . 

Finally, 

5 2 bt 



Pr jjC^ ^ t5 | ^ ex P (" 



□ 
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A.2 Permutation extractors 

In order to prove the existence of strong permutation extractors with good parameters, we 



use the construction of Guruswami, Umans, and Vadhan [2009| which is inspired by list 



decoding. Their main construction is a lossless condenser based on Parvaresh-Vardy codes. 
Using this condenser, they build an explicit extractor with good parameters. However, this 
lossless condenser based on Parvaresh-Vardy codes does not seem to be easily extended 
into a permutation condenser. The same paper also presents a lossy condenser based 
on Reed-Solomon codes, which can indeed be transformed into a permutation condenser. 
This permutation condenser can then be used in the extractor construction instead of the 
lossless condenser giving a strong permutation extractor. In this section, we describe this 
construction. For completeness, we reproduce most of the proof here, except the results that 



are used exactly as stated in Guruswami et al. [2009 1. 



It is also worth mentioning that to obtain metric uncertainty relations, we want strong 



extractors. Even though the extractors in Guruswami et al. [2009] are not directly described 



as strong, they are essentially strong. In this section, we describe all the condensers and 
extractors as strong. 

Definition A.2.1 (Condenser). A function C : {0, 1}"x5 — >■ {0, l} n ' is an (n, k) — Y e (n' , k') 
condenser if for every X with min-entropy at least k, C(X, Us) is t-close to a distribution 
with min-entropy k' when Us is uniformly distributed on S. A condenser C is strong if 
(Us, C(X, Us)) is t-close to (Us, Z) for some random variable Z such that for all y G S, 
Z\u s=y has min-entropy at least k. 

A condenser is explicit if it is computable in polynomial time in n. 

Remark. The set S is usually of the form {0, l} d for some integer d. Here, it is convenient 
to take sets S not of this form to obtain permutation extractors. Note also that an extractor 

is an (n, k) — > e (m, m) condenser. 

Definition A.2.2 (Permutation condenser). A family {P y } yeS of permutations of {0, l} n is 
an (n,k) — Y € (n',k') strong permutation condenser if the function P c : (x,y) (->■ Py(x) 
where Py (x) refers to the first n' bits of P y (x) is an (n, k) — > e (n' , k') strong condenser. 

A strong permutation condenser is explicit if for all y G S, both P y and Py 1 are 
computable in polynomial time. 



The following theorem describes the condenser that will be used as a building block in 
the extractor construction. It is an analogue of Theorem 7.2 in|Guruswami et al. [2009]. 
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Theorem A.2.3. For all positive integers n and £ < n, as well as a,e G (0, 1/2), there 
exists an explicit family of permutations {RS y } y( zs o/FJ that is an 

(nt, (£ + l)t) ^ e (it, (1 - a)£t - 4) 

strong permutation condenser with t = \l/a ■ log(24n 2 /e)] and log \S\ < t. Moreover, the 
functions (x,y) !->■ RS y (x) and (x, y) !->■ RSy 1 (x) can be computed by a circuit of size 
0(npolylog(n/e)). 

Proof Set q = 2* and e = e/6. Consider the function C : F™ x F 9 -»■ F^ +1 denned by 

c f '(/,y) = [y,/(y),/(Cy),---,/(C € - 1 y)] 

where F™ is interpreted as the set of polynomials over ¥ q of degree at most n — 1 and £ is 
a generator of the multiplicative group F*. First, we compute the input and output sizes in 
terms of bits. The inputs can be described using log |F™| = nlogg = nt bits, the seed using 



log |F ? | = t bits and the output using log |F^ +1 | = (£ + l)t. Using [Guruswami et al. 
Theorem 7.1], for any integer h, C is a 



2009 



nt, log 



^2e [et + t,\0g 



Ah e 



2e 



(A.2) 



clef 



condenser where A = e^q — (n — l)(h — l)£. We now choose h = \q x a ~\. As 
q > (An 2 /e ) 1/a , we have A > e q - n 2 h > e q - e q a /A ■ (q l ~ a + 1) > e q/2. Thus, we 
can compute the bounds we obtain on the condenser C: 



log 



q e -l 



+ log(l/e ) < (£+l)t 



and 



log 



Ah 1 - 1 
2e 



log 



Ah k 



+ log 1 



2e 

> log(g/4) +£log/i - 1 
>t + (l-a)£t-3. 



Plugging these values in equation ( |A.2[ ), we get that C" is a 

(nt, (£ + l)t) ^ 2eo (£t + t, (1 - a)£t + t - 3)) 



(A.3) 



condenser. 
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Observe that the seed y is part of the output of the condenser. As we want to construct 
a strong condenser, we do not consider the seed as part of the output of the condenser. For 
this, we define C : F™ x ¥ q -»■ F^ by C(f, y) = [f(y), /(C* -1 2/)]. Moreover, as will be 
clear later when we try to build a permutation condenser, we take the seed to be uniform on 

def 

S = F* = F g — {0} instead of being uniform on the whole field ¥ q . Note that this increases 
the error of the condenser by at most 2~* < eo (because one can choose U^* = U^ q with 
probability 1 — 2 _t ). Here and in the rest of this proof, we will be using Doeblin's coupling 
lemma (see Chapter [2]). 

Equation ( |A.3[ ) then implies that if X has min-entropy at least (£+ l)t and Us is uniform 
on S, then the distribution of (Us, C(X, Us)) is 3eo-close to a distribution with min-entropy 
at least (1 - a)£t + t - 3. Let Y G S and Z G {0, be random variables such 
that H min (y, Z) > (I - a)£t + 1 - 3 and (U s , C(X, U s )) = (Y, Z) with probability at least 
1 — 3 eo- If Y was uniformly distributed on S, then it would follow directly that for all y E S, 
H m i n (Z\Y = y) > (1 — a)£t — 3. However, Y is not necessarily uniformly distributed. We 
define a new random variable Z' by 

Z'={ z ifY = Us 
\ U> ifY^Us 

where U' is uniformly distributed on {0, and independent of all the other random 
variables. We have for any z G {0, and y G S, 

Pr {Z' = z\U s = y} = pT{l } s = y} ( Pr {Z' = z,Y = y,Y = U s } 

+ Pr{Z' = z,U s = y,Y^U s }) 

~ Pr {Us = y}V +1 '\S\) 

< 2 ■ 2~( 1 ~") ft+3 

Moreover, we have (Us, C(X, Us)) = (Us, Z') with probability at least 1 — 6eo. 
We conclude that C is a 

(nt, (£ + l)t) -> e (£t, (1 - a)£t - 4)) (A.4) 

strong condenser. 

To define our permutation condenser, we set the first n' = it bits RSy(x) of 
RSy(x) to be RSy(x) = C(x,y). We then define the remaining bits by RSy(f) = 
[f(Cy),---,f(C ll y)}- As g > n — 1 and £ is a generator of F*, the elements 
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yXy,---A n ~ l y are distinct provided y ^ 0. So for y ^ 0, (RS C , RS R ) y (f) is the 
evaluation of the polynomial / of degree at most n — 1 in n distinct points. Thus, 
/ i — y RSy(f) is a bijection in F™ for all y ^ 0. This is why the value for the seed 
was excluded earlier. 

Concerning the computation of the functions RSy and RSy, they only require the 
evaluation of a polynomial on elements of the finite field ¥ q . Computations in the finite 
field ¥ q can be performed efficiently by finding an irreducible polynomial of degree log q 
over F 2 and doing computations modulo this polynomial. In fact, finding an irreducible 
polynomial of degree log q over F 2 can be done in time polynomial in log q (see for example 



Shoup [ 1990| for a deterministic algorithm and Corollary 14.43 in the book|von zur Gathen 



and Gerhard [ 1999J for a simpler randomized algorithm). Since addition, multiplication and 



finding the greatest common divisor of polynomials in F 2 [X] can be done using a number of 
operations in F 2 that is polynomial in the degrees, we conclude that computations in ¥ q can 
be implemented in time 0(polylog(n/e)). Moreover, one can efficiently find a generator 



( of the group F*. For example, Theorem 1.1 in Shoup [ 1992 1 shows the existence of a 
deterministic algorithm having a runtime 0(poly(log(g))) = 0(polylog(n/e)). 

To evaluate RS y at a polynomial /, we compute the field elements y, (y, . . . , C n_1 ?A and 
then evaluate the polynomial / on these points. Using a fast multipoint evaluation, this step 
can be done in 0(n polylogn) number of operations in ¥ q (see Corollary 10.8 in 



von zur 



Gathen and Gerhard 1 1999 1). Moreover, given a list [f(y), ■ ■ ■ , /(C n y)\ for y ^ 0, we can 



find / by fast interpolation in ¥ q [X] (see Corollary 10.12 in von zur Gathen and Gerhard 



1 1999]). As a result RS 1 can also be computed in Ofa polylog n) operations in ¥ q . □ 



This condenser will be composed with other extractors, the following lemma shows how 
to compose condensers. 

Lemma A.2.4 (Composition of strong permutation condensers). Let {Pi, yi ) yi eSi be an 
(n, k) — > t (n', k') strong permutation condenser and (P2,y 2 )y2es 2 be an (n', k') — > e (n", k") 
strong permutation condenser. Then (Py)y=( yi ,y 2 )£S±xS2 = {PyiPy) where Py lV2 = 

P 2,y 2 ° P l, yi and P y iy2 = { P 2,y 2 ° P l, yi ) ' P l m « k) ^2e fa", k") StWng permutation 

extractor. 



Proof P y is clearly a permutation of {0, l} n . We only need to check that P c is a strong 
condenser. By definition, if H min (X) > k, {Us 1 ,Pi Us (X)) is e-close to (Us 1} Z) where 
Z\u s = yi has min-entropy at least k'. Now putting Z into the condenser P 2 C , we get that for 
any y 1 , (Us 2 , P2,u S2 (Zu Sl )) is e-close to (Us 2 , Z 2 ) where Z 2 \us 2 =y 2 ^ as min-entropy at least 
k" for any y 2 E S 2 . Thus, Z 2 \u s u s = yiy2 has min-entropy at least k" . Moreover, by the 
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triangle inequality, we have A (fU Sl , U Sa , Pu Sl u S2 ( X ))' (U Sl ,U S2 , Z 2 )^j < 2e. □ 

Next, we present one of the standard extractors that are used as a building block in many 
constructions. 



Lemma A.2.5 ("Leftover Hash Lemma" extractor [Impagl iazzo et aL} 1989]). For all 



positive integers n and k < n, and e > 0, there exists an explicit family (P y ) y& s 
of permutations of {0, 1}™ that is an (n, k) — > e m strong permutation extractor with 
log \S\ = log(2 n - 1) and m> k - 2 log(2/e). 

Proof We view {0, 1}™ as the finite field F 2 n and the set S = ¥* 2n . We then define the 
permutation P y (x) = x ■ y where the product x ■ y is taken in the field F 2 n. The family 
of functions P y is pairwise independent. Applying the Leftover Hash Lemma [Impagliazzo 



et al. 1989) , we get that if Y uniform on F 2 «, the distribution of the first \k — 2 log(l/e)] 



bits of Py(X) together with Y is e-close to uniform. Now if Us is only uniform in F 2 n, 
(Us, Pu s (X)) is e + 2~ n -close to the uniform distribution. The result follows from the fact 
that we can suppose e > 2~ n (otherwise, k — 2 log(l/e) < and the theorem is true). □ 

The problem with this extractor is that it uses a seed that is as long as the input. Next, 
we introduce the notion of a block source. 

Definition A.2.6 (Block source). X = (X\, X 2 , . . . , X s ) is a (k\, k 2 , ■ . . , k s ) block source 
if for every i G {1, . . . ,s} and Xi, . . . X\ Xl =x 1 ,...,x i ^ 1 =x i - 1 is a k^-source. When 

k\ = ■ ■ ■ = k s = k, we call X a s x k source. 

A block source has more structure than a general source. However, for a source of large 
min-entropy k (or equivalently with small entropy deficiency A = n — k), one does not 
lose too much entropy by viewing a general source as a block source where each block has 
entropy deficiency roughly A. See [|Guruswami et al.[ |2009[ Corollary 5.9] for a precise 



statement. 



Lemma A.2.7 ([ |Guruswami et al.[|2009[ Lemma 5.4]). Let shea (constant) positive integer. 
For all positive integers n and t < n and all e > 0, setting t = [8s log(24n 2 • (4s + l)/e)~|, 
there is an explicit family {L y } y( z S of permutations of{0, l} n that is an 

(n, 2£t) ^ t it 

strong permutation extractor with log \ S\ < 2U/s + t. 



Proof As the extractor is composed of many building blocks, each generating some 
error, we define e = e/(4s + 1) where e is the target error of the final extractor. The 
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idea is to first apply the condenser RS of Theorem A. 2. 3 with a = ^ to obtain a string 
X' = RS C (X, U^* t ) of length n' = (2£ — i)t which is e -close to a A;'-source where 



k' 



l-l)(2£-l)t-4 



The entropy deficiency A of this A;'-source can be bounded by A 



n 



k! < 



(2l-l)t 



+ 4. 



Then, we partition X' = (X[, . . . , X' 2s ) (arbitrarily) into 2s blocks of size n" = \n' /2s\ or 



n" + 1 . Using [Guruswami et al. 2009, Corollary 5.9], (X[ } . . . , X' 2s ) is 2se -close to some 
2s x A;"-source where k" = (n" — A — log(l/e )). 

We have A < it/ (4s) + 3 < £t/(3s) for n large enough. Thus, 

k" > ^ - ^ - log(lAo) = Ut - log(l/e ). 



We can then apply the extractor of Lemma A. 2. 5 to all the 2s blocks using the same seed of 



size n" + 1. Note that we can reuse the same seed because we have a strong extractor and 
the seed is independent of all the blocks. This extractor extracts almost all the min-entropy 
of the sources. More precisely, if we input to this extractor a 2s x fc"-source, the output 
distribution is 2se -close to m uniform bits where 



m>2s-(£"-21og(2/e )) > 



6slog(2/e ) > 



Overall, the output of this extractor is eo + 2seo + 2seo = e-close to the uniform 
distribution on m bits. 

It only remains to show that the extractor we just described is strong and can be extended 



to a permutation. This follows from Lemma A. 2. 4 and the fact the condensers (coming from 
Theorem | A . 2 . 3 1 and Lemma|A.2.5[) are strong permutation condensers. □ 



Remark. As pointed out in Guruswami et al. [2009 1, a stronger version of this lemma (i.e., 



with larger output) can be proved by using the condenser of Theorem A. 2. 3 and the high 



min-entropy extractor in Goldreich and Wigderson [ 1997 1 with a Ramanujan expander 



(for example, the expander of Lubotzky et al. [1988]). This construction can also give 
a strong permutation extractor. However, using this extractor would slightly complicate 
the exposition and does not really influence the final extractor construction presented in 
Theorem l3.4.5[ 

The following lemma basically says that the entropy is conserved by a permutation 



extractor. It is an adapted version of [Raz et al. 1999 , Lemma 26] 
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Lemma A.2.8. Let {P y } ye s be a (n, k) — > e m strong permutation extractor. Let X be a 
k-source, then (Us, P§ S (X), Pff s (X)) is le-close to (U' s , UL 1 | m , W) where U' s and UL x i m 
are independent and uniformly distributed over S and {0, l} m respectively, and for all 

yeS,ze{0,l} m 

H min (W\(U' s , U{ 0>1}m ) = {y,z))>k-m- 1. 

Proof As {Py} is a strong extractor, there exist random variables U' s and UL j, m uniformly 
distributed on S and {0, l} m such that Pr |(£/ s , P§ S (X)) ^ (E/£, t/[ 0il} m)} < e. Define 
r = {(t/,z) G 5 x {0, l} m : Pr {P^ (X) = z) < \ ■ 2~ m }. We have for every (y, z) £ V 
and x G {0, 

Pr{P*(X) = x,P,f(X) = z\ 
Pr {J* (X) = x|P* (X) = z} < 1 yl 2 - m !i ^ 

< 2 m+1 Pr{X = p- 1 (x,^)} 
^ 2~ (fc— cn— 1) 

We then show that Pr { (Us, P§ s ) 6 T} < t. Using the fact that {Py } is a strong extractor, 
we have 

|Pr {U' s , U' {mm G T} - Pr {(U s , P* ) G T} | < e. 

But recall that, by definition of T, Pr {(U s , P# s ) G T} < |Pr {(U' s , U' {01}m ) G r|, so we 
get 

Pr{(U s ,Pg)er}<e. 

Finally we define 

w= { Pg{X) if (U s ,Pl(X))£T 

\u* if (Us, Pg(x))er 

where U* is uniform on {0, 1}™-™ and independent of all other random variables. We 
conclude by observing that with probability at least 1 — 2e, we have (Us, P^ S (X)) = 
(U' s ,U' m}m )mdPff s (X) = W. □ 

We then combine these results to obtain the desired extractor. The proof of the 
following theorem closely follows [Guruswami et al.[ |2009[ Theorem 5.10] but using the 



lossy condenser presented in Theorem A. 2. 3 and making small modifications to obtain a 
permutation extractor. 
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Theorem A.2.9. For all integers n > 1, all e e (0,1/2), and all k e 
[200 [200 log(24n 2 /e)] , n] there is an explicit (n,k) — > e [A;/4J strong permutation 
extractor {P y } y< z S with log|S| < 200 [200 log(24n 2 /e)]. Moreover, the function (x,y) !->■ 
P y {x) can be computed by a circuit of size 0(n polylog(n/e)). 



Proof If n < 2 ■ 10 , we can use the extractor of Lemma A. 2.7 with s = 200 and 



I > 1 such that 2£t < k < 2(£ + l)t. This gives an extractor whose seed has size 
2§o < 10 4 < 200 [2001og(24n 2 /e)l and that extracts £t > \ ■ 2(1 + l)t > J bits, so 
the statement still holds true. In the rest of the proof, we assume n > 2 ■ 10 6 . 

The idea of the construction is to build for an integer i > an explicit (n, 2 % ■ 8d) — > e 
2 l ~ 1 ■ 8d extractor using d bits of seed by induction on i. Fix t(e) = [200 log(24n 2 /e)] and 
d(e) = 200t(e). The induction hypothesis for an integer i > is as follows: For all integers 
i! < i and n and e > 0, there is an explicit 

(n,2*'-8d(e)) -> e T'- 1 ■ 8d{e) 

strong permutation extractor with seed size d(e). This extractor is called {Py^} y eSi- 

For both i — and i — 1, we can use the extractor of Lemma [A.2.7| with s = 20. For 
z G {0, 1}, this gives an extractor with seed 2 '' 8 ^/ 81 ) +t < ^d(e) + ^200 [200 log(81)] < 

d{e). 

We now show for i > 2 how to build the extractor {Py } using the extractors {Py - 1 } 
for i' < i. Using the induction hypothesis, we construct the following extractor, which will 
be applied four times to extract the necessary random bits to prove the induction step. The 
choice of the form of the min-entropy values will become clear later. Set e = e/20. 

Claim. There exists an 

(n, 2* • 4.5d(e )) ^ 2* ■ d(e ) 

strong permutation extractor {Q y } y ^T with seed size log |T| < ^|^. 

To prove the claim, we start by applying the condenser of Theorem A. 2. 3 with a = 
1/200 and e = e (so we use a seed of size £(e )). The output X' of size at most 2 % ■ 4.5<i(eo) 
is then e -close to having min-entropy at least (1 — a)2 l ■ 4.5c?(e ) — t(e ). The entropy 
deficiency of this distribution is a2 i ■ 4.5d(e ) + @ < T ' 4 ^ eo) ■ We then divide X' into 
two equal blocks X' = (X{,X' 2 ), and we know that it is 2eo close to being a 2 x A;'-source 
for 

= 2- ■ 4.5d (eo) _ 2' ■ 4.5^.0) _ > 2 , . _ ^\ 

2 100 &v / o; _ i 10Q 200 / V 01 



133 



CHAPTER A. Deferred proofs 



x - 



c 
RS 



X', 



E 

p(i-2) 
B 



Random bits 



Figure A.l: The extractor Q is obtained by first applying the condenser of Theorem A. 2. 3 
and decomposing the output into two parts. The Leftover Hash Lemma extractor (Lemma 



A. 2.7 ) is applied to the first half and its output is used as a seed for the extractor {Py 
coming from the induction hypothesis. 

as log(l/e ) < t(e ) = For the extractors we will apply next to this source, we should 
note that k' > 2d{e ) and that 2* • 4d(e ) < k' < 2 i ■ 8d(e ). 



We now apply the extractor of Lemma A. 2.7 to X[ (viewed as a 2d(e )-source) using a 
seed of size 2d ^ and obtaining X" that is eo close to uniform on d(eo) bits. We then use 



20 



the extractor {Py 2 ' ) } obtained by induction for % — 2 to the X' 2 (of size 2 l ■ 4.5d(e ) < n) 
with seed X" (of size d(e )): it is an (n, 2 l ~ 2 ■ 8d(e )) — > eo 2* • d(e ) permutation extractor. 



The construction is illustrated in Figure A.l Note that the number of bits of the seed is 



log |T| < i(e ) + 



2d(e ) < d(e ) 



20 



-. This concludes the proof of the claim. 



A. 2. Permutation extractors 
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Figure A. 2: The permutation extractor {Q y } described in the claim is applied four times 
with independent seeds in order to extract 2* _1 • 8d(e) random bits. 

The source X we begin with is a 2* • 8o?(e)-source. But we have 2* ■ 8d(e) > 
2 l ■ 8d(e ) — T ■ 8 ■ 200 2 log 20 > T ■ 4.5d(e ) so that we can apply the permutation extractor 
(Qy) y) =T °f the claim. We obtain Q§ t (X) which is e -close to 2* • d(e ) random bits. As Q E 
is part of a permutation extractor, the remaining entropy is not lost: it is in Q§ (X). More 



precisely, applying Lemma A.2.8 we get Q§ T {X) is eo-close to a source of min-entropy at 
least T ■ 8d(e) - 2 i ■ d(e ) - 1. As 2 i ■ 8d(e) - 2 i • d(e ) - 1 > 2 i ■ 4.5c/(e ), we can apply 
the extractor {Q y } y eT of the claim to this source. Note that the input size has decreased but 
this only makes it easier to extract random bits as one can always encode in part of the input 
space. To apply Q, we use a fresh new seed that outputs a bit string that is close to uniform 
on 2*~ 3 • 8d(e ) bits and the remaining entropy can be found in the R register. We apply this 



procedure four times in total as shown in Figure A. 2 Note that the reason we can apply it 
four times is that at the last application 2 i ■ 8d(e) - 3 ■ 2 i_3 ■ 8d(e ) - 3 > 2 i ■ 4.5d(e ). As 
the extractor {Q y } y ^T has error at most 5eo, the total error is bounded by 20e = e. 
We thus obtain an 

(n,2* -8d{e)) ->- e 4 • 2 i-3 • 8d{e ) 

strong permutation extractor with seed set S = T 4 so that log l^l < 4 • < d(e). This 
proves the induction step. To obtain the theorem, we simply choose the smallest i such that 

2 i • 8d(e) > k. □ 

By a repeated application of the previous theorem, we can extract a larger fraction of the 
min-entropy. 



Theorem 3.4.5 For all (constant) 5 G (0,1), there exists c > 0, such that for all 
positive integers n, all k 6 [clog(n/e),n], and all e G (0,1/2), there is an explicit 
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(n,k) — y e (1 — 5)k strong permutation extractor {P y } y e.s with log \S\ = 0(log(n/e)). 
Moreover, the functions (x,y) H- P y (x) and (x,y) P~ 1 (x) can be computed by circuits 
of size 0(n poly log(n/e)). 

Proof We start by applying the extractor of Theorem |A.2.9| We extract part of the min- 



entropy of the source and the remaining min-entropy is in the R system (Lemma A. 2. 8). 
This min-entropy can be extracted using once again the extractor of Theorem A. 2. 9 After 
0(log(l/<5)) applications of the extractor, we obtain the desired result. □ 



A.3 Various technical results 



This section contains various technical results. We start by a lower bound on the key size 
for an encryption scheme. 

Proposition A.3.1. Let £ : {0, l} n x [t] —> S(A) be an encryption scheme with the following 
properties: there exists a decoding map V^for every k e {0, 1} S such that T>k(£(x, k)) = x 
and for all x ^ x', we have 



A(^£{x,k),^£V,k) \ <e. 

\ k k J 



(A.5) 



Then, logt > n — 2 provided e < 1/2. 



Proof The argument we use is quite similar to [Desrosiers and Dupuis , 2010 Theorem 6] 



First by averaging ( |A.5[ ) over all x', we obtain 

A(p XA ,p x ®p A ) <e + 2-\ 

where p XKA = ^ J2 X k \x)(x\ x ® \k)(k\ K ®£(x, k) A . Using the relation between the trace 
distance and fidelity (equation ( |2.7| )), we get 



F(p 



XA p X 



P A )>1 



(A.6) 



Now, using the key K, one should be able to recover X from A: this will allow us to get 



an upper bound on F(p XA , p x cg> p A ) . Using Uhlmann's theorem (Theorem 2.2.1 ), we can 
find a purification \p} XKAR of p XKA and a purification \a) XKAR of p x £g> p A such that 

F(p XA , p x <g> p A ) = F(p XKAR , a XKAR ) 



<F(p XKA ,a XKA ) 



< F{V(p 



XKA „XKA 

XKA\ -nf^XKA 



F{^ xx \V(a XKA 



X>(a AAA )) 
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Here, V 



V k acts on KA and = i ® |^)(^|- The two 



inequalities follow from the monotonicity of the fidelity (equation ( |2.8[ )). The last equality 
comes from the fact that V decodes X correctly given K and A. Note that we can assume 
that a XKA is classical on the XK system (otherwise, you can simply measure XK in 
the computational basis and use the monotonicity of the fidelity). We can then write 
h Ez \ x )( x \ ® &x A - In this case F($ xx ' ,U(<t xka )) is simply the probability 



a 



XKA 



of successfully guessing X given the system KA by applying V, the underlying state being 



a XKA . In fact, expanding the fidelity, we have 



F[<S> xx ',V(a XKA ~ 



X 

= ^E||i a? x*i-V^P)| 1 

x 

X 

<P gue UX\KA) a = 2- n ^ KA ^, 



x\ £g> 



where we used the operational interpretation of the min-entropy ( |2.12[ ) in the last line. Now 



using a chain rule for the min-entropy in [Desrosiers and Dupuis , 2010 Lemma 7], we have 
Hmm(X\KA) a > H min (X|y4) cr — log t = n — log t (note that it is important here that K is 
classical). Combining with ( |A.6[ ), we get 1 — e — 2~ n < 2 n /t, which leads to the desired 
result. □ 



Next, we state the general decoupling result of |DupuislH2010[ , pupuis et al.| [ |2010a[ for 
exact unitary 2-designs. 



Lemma A.3.2 ([Dupuis, 2010, Theorem 3.7]). Let A = AiA 2 , and consider the map 



Ta-^Ax cls defined in Equation (5.3 ). Then, if{Ui,...,U t } defines an exact unitary 2-design 



(Definition 5.2.4), we have for S > 0, 



1 * 



4=1 



Ta^aAUiPaeU}) - ® p E 
\ A l\ 



< 



dA 
d A 



(A.7) 



We also use the fact that a full set of MUBs defines a complex projective 2-design. 
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Lemma A.3.3 (Klappenecker and Rotteler [2005 1). Let {U\, 
mutually unbiased bases of A. Then 



Ud A +i} define a full set of 



I ( ^—} 9TT s y m 

where n sym z'^ the projector onto the symmetric subspace of A® A' (with A' ~ A) spanned 
by the vectors \aa!) + \a'a)for a, a 1 e [A]. Note that TT ym 



id AA'+ F AA' 
2 

The following well known 'swap trick' is used to prove decoupling statements. 
Lemma A.3.4. Let M } N e C{A). Then, 

tr[MN]=tr[{M A ®N A ,)F AA ,}, 
where A' ~ A and F AA < = J2 aa , \aa!) (a'a\ is the swap operator. 
The following is called operator Chernoff bound. 



Lemma A.3.5 ([ |Ahlswede and Winter[|2002] Theorem 19]). Let X\, . . . , X t be independent 
and identically distributed operator valued random variables and < Xi < id, E {Xi} = 
T > aid. Then 



Pr 



j^X^<(l + 77)rj > l-dexp^- 



trfa 
4 In 2 
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